CheckPoint Firewall & Microsoft Sentinel: Troubleshoot Data Connector Disconnected

Hi everyone, hope you guys are staying safe and keep yourself healthy. Would like to share you another troubleshooting experience of mine.

I noticed that the CheckPoint connection status was disconnected from the data connector in Microsoft Sentinel portal. Hence, I put on my thinking hat to troubleshoot this issue. It was tricky though but luckily the troubleshooting command manage to give me some hints, what was causing this disconnection.

My findings were:

  1. Syslog connector still exist
  2. CheckPoint Firewall forwarder connector was not found

I proceed my next action on troubleshooting it,

  1. I ran the troubleshooting command from the Microsoft Sentinel data connector for CheckPoint in the Syslog connector VM (Centos)
  2. It shows me that I need to change my Syslog’s SELinux mode to permissive
  3. To modify the SELinux mode run the following command, this is where the mode located, is inside the directory/file below “/etc/selinux/config”:
    • vi /etc/selinux/config
  4. Change the SELINUX=enforce to SELINUX=permissive
  5. Click the button “ESC” on your keyboard
  6. Type the command to save and quit: wq!
  7. Click the button “ENTER” on your keyboard
  8. Restart the VM by typing the command sudo reboot

First issue completed but there was a second issue prompt, it mentions that it would require me to disable auto-sync to prevent duplicate records sync to Microsoft Sentinel. Hence, the next action is below,

  1. Type the following command sudo su omsagent -c 'python2 /opt/microsoft/omsconfig/Sripts/OMS_MetaConfigHelper.py --disable'
  2. Restart the VM by typing the command sudo reboot

You might not like my idea of rebooting the Syslog connector VM, no worries you can proceed to follow just by restarting the service instead.

Noted:

Kindly note that the command above may not suit your situation because different Linux Operating System has their own command language. Anyway, the concept is pretty common sense.

References:

  1. https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/8/html/using_selinux/changing-selinux-states-and-modes_using-selinux
  2. https://learn.microsoft.com/en-us/azure/sentinel/troubleshooting-cef-syslog?tabs=cef

Author: sabrinaksy

Just an ordinary lady who love what she does best.

Leave a comment