Troubleshooting OPSEC Connectivity

Overview

To monitor Check Point management servers, SecureTrack requires OPSEC connectivity. If there is a problem with connectivity with the monitored device, and you have eliminated other causes, try the following steps, in the order that they appear. After each step, check whether the problem persists. If so, continue to the next step.

Determine Connectivity Issue

  1. In SmartDashboard, make sure there is an OPSEC object for SecureTrack.

  2. In SmartDashboard, open the OPSEC object, and make sure that the following settings are correct:

    1. In the General tab, under Client Entities, LEA and CPMI should both be selected.

    2. In the CPMI Permissions tab, there should be a read-only Permissions Profile.

    3. In the General tab, click Communication, and make sure that the trust state is either Communicating or Trust Established.

      • If the trust state is Initialized but trust not established and you know the Activation Key that was configured in the OPSEC object, then after performing Install Database, in SecureTrack, edit the monitored device and establish trust by typing the Activation Key and clicking Retrieve Certificate.

      • If the trust state is Uninitialized, or it is Initialized but trust not established and you do not know the Activation Key that was configured in the OPSEC object, set an Activation Key and click Initialize. After performing Install Database, in SecureTrack, edit the monitored device and establish trust by typing the Activation Key and clicking Retrieve Certificate.

    4. In SmartDashboard, from the Policy menu, select Install Database (even if you did not make any changes, in case this step was previously forgotten). Make sure you receive a confirmation message: Database Installation succeeded.

  3. Stop and then start the device in SecureTrack. Check whether the problem has been resolved.

  4. On the Check Point management server, using vi or any other text editor, edit the following file:

    $FWDIR/conf/fwopsec.conf

    In Provider-1, before opening the file, set the shell to the correct CMA (with mdsenv <cma> ).

    • The line containing cpmi_server auth_port should either be commented out (with #, this is the default setting), or uncommented, but with the default port number 18190.

    • The line containing lea_server auth_port should either be commented out (with #, this is the default setting), or uncommented, but with the default port number 18184.

    • If you made any changes to the file, on the management server, run: cpstop , and then: cpstart (in Provider-1: mdsstop <cma>, and then: mdsstart <cma> ).

  5. On the Check Point management server, using vi or any other text editor, edit the following file:

    $CPDIR/conf/sic_policy.conf

    In Provider-1, before opening the file, set the shell to the correct CMA (with mdsenv <cma> ).

    • Search for the line containing: LEA_clients in the following form:

      ANY ; LEA_clients ; ANY ; lea ; sslca, local, sslca_comp

      This line should be active (without: #), and should contain: sslca .

    • Right below the previous line, you should see a line containing CPMI_clients, in similar form:

      ANY ; CPMI_clients; ANY ; cpmi ; sslca, local, sslca_comp

      This line should also be active (without: #), and should contain: sslca .

    • If you made any changes to the file, on the management server, run: cpstop , and then: cpstart (in Provider-1: mdsstop <cma> , and then: mdsstart <cma> ).

  6. Stop and then start the device in SecureTrack. Check whether the problem has been resolved.