Anyone have their RealSecure sensor sending SAM requests to a CheckPoint R55 Management which handles a cluster.
I did the following already. Fw putkey -opsec x.x.x.x for my ids sensor Opsec_putkey -port fw x.x.x.x for my smartcenter management Successful authentication Tested sending a sam request in smartview monitor to my modules for notify, this worked. Setup response for opsec for notify. Setup a rule to use opsec. I see the following error messages in the log on my IDS module. Jun 28 13:54:12 ids_1 ISS[4301]: (network_sensor_1) - send_sam_action( 4, 2, FW_Cluster, 2, 0, 0x0, 0x0, 0, 6 ) Jun 28 13:54:12 ids_1 rsopsecd[4302]: rsopsec_sam_session::sam_ack_event SAM_MODULE_FAILED FW_1 0/2 Jun 28 13:54:12 ids_1 rsopsecd[4302]: rsopsec_sam_session::sam_ack_event SAM_MODULE_FAILED FW_2 1/2 Jun 28 13:54:13 ids_1 ISS[4301]: (network_sensor_1) - send_sam_action( 4, 2, FW_Cluster, 2, 0, 0x0, 0x0, 0, 6 ) Jun 28 13:54:13 ids_1 rsopsecd[4302]: rsopsec_sam_session::sam_ack_event SAM_MODULE_FAILED FW_1 0/2 Jun 28 13:54:13 ids_1 rsopsecd[4302]: rsopsec_sam_session::sam_ack_event SAM_MODULE_FAILED FW_2 1/2 Jun 28 13:54:13 ids_1 ISS[4301]: (network_sensor_1) - send_sam_action( 4, 2, FW_Cluster, 2, 0, 0x0, 0x0, 0, 6 ) Jun 28 13:54:13 ids_1 rsopsecd[4302]: rsopsec_sam_session::sam_ack_event SAM_MODULE_FAILED FW_1 0/2 Jun 28 13:54:13 ids_1 rsopsecd[4302]: rsopsec_sam_session::sam_ack_event SAM_MODULE_FAILED FW_2 1/2 Jun 28 13:54:14 ids_1 ISS[4301]: (network_sensor_1) - send_sam_action( 4, 2, FW_Cluster, 2, 0, 0x0, 0x0, 0, 6 ) Jun 28 13:54:14 ids_1 rsopsecd[4302]: rsopsec_sam_session::sam_ack_event SAM_MODULE_FAILED FW_1 0/2 Jun 28 13:54:14 ids_1 rsopsecd[4302]: rsopsec_sam_session::sam_ack_event SAM_MODULE_FAILED FW_2 ½ Tracker logs show it failing as well. But what I'm most concerned about is the 0x0, 0x0, which I believe is any,any in a SAM request, how come I don't' see the source of the attacker. Anything I need to do on the smartcenter to allow the commands to pass? Derek O'Flynn _______________________________________________ ISSForum mailing list [email protected] TO UNSUBSCRIBE OR CHANGE YOUR SUBSCRIPTION, go to https://atla-mm1.iss.net/mailman/listinfo/issforum To contact the ISSForum Moderator, send email to [EMAIL PROTECTED] The ISSForum mailing list is hosted and managed by Internet Security Systems, 6303 Barfield Road, Atlanta, Georgia, USA 30328.
