How does OPSEC LEA connectivity work?


This article applies to:

  • Firewall Suite 4.X

Question:

How does OPSEC LEA connectivity work?

Information:

Check Point firewalls maintain two binary log event databases on the firewall or management console. The standard database and the accounting database record traffic according to the firewall rule set. Firewall Suite provides a method of connecting to this log database and downloading the log files in a format that the Firewall Suite tool can read.

This database connectivity is provided by a secondary Windows service that uses the Check Point-developed OPSEC LEA interface. The Firewall Suite application starts a secondary service (WTLeaService.exe) upon creation of a profile that is configured to use OPSEC LEA.

Once the LEA service is started, it connects to the firewall on TCP port 18184 and continuously polls the firewall for new log record data. It is fault tolerant in that it records its last-known position in the database. Because of this, Firewall Suite is capable of reconnecting to the firewall and resuming transfer of log records in the case of communication failure. If the LEA connection is dropped for any reason, the service will attempt to re-connect every five minutes.

The Firewall Suite LEA service writes the contents of the two databases in two different log files, placed in the following directory:

    [FWS_Installation_Directory]\LeaCache\IPAddress.dat

The files are named as follows:

  • datestamp.log
  • datestamp_a.log.

Further, Firewall Suite maintains two last_record lists, one for each database.

When you press the View syslog/LEA button, Firewall Suite looks at the incoming data stream on port 18184 and displays any data being placed there by the firewall.

This article was previously published as:
NETIQKB563

Last Modified 4/13/2006.
https://support.trustwave.com/kb/KnowledgebaseArticle10551.aspx