Check Point administrators rejoice, Splunk Add-on for OPSEC LEA 2.1.0 has been released! The free update provides useful improvements to almost every aspect of the add-on.
User Interface
The old OPSEC interface has been completely overhauled and streamlined. The interface is no longer stuck in the past and should look right at home on your Splunk 6 search heads.
The manage connections page now offers a much more powerful overview of your Check Point connections. As you can see on the screenshot, every connection has a set of metrics available. These differ based upon the connection type. An audit connection displays the timestamp of the last event collected. A normal connection displays throughput over the last 24 hours and the last 15 minutes. Simply clicking on a table row will display these metrics. These searches also employ accelerated data models, so they’re quite fast. We hope these metrics will save you from constantly running searches for more information about your connections.
There are additional improvements for larger Check Point deployments. Have a hundred connections? That’s unfortunate, but connection name filtering is here to help! A quick search in the filter bar can whittle down the number of connections. Pagination helps keep the list of connections readable, only displaying twenty connections at a time. Finally, most of the columns can be sorted. This is particularly helpful when you need to group your connections by connection type.
With the old add-on, it was very time consuming to create a connection to a dedicated log server. As you may know, Check Point log servers don’t have a certificate authority. Dealing with this required an ugly workaround to pull the certificate from the MDS. We’re very happy to say that the new workflow fixes this problem! With the new version, the MDS can be specified directly in the pull cert workflow. Pulling a cert will also no longer lock your browser with a synchronous AJAX request!
Performance
Connections now support online (realtime) mode. This helps decrease latency, since events are pulled as soon as possible. The add-on typically waits 30 seconds between trips to the Check Point server. However, note that completely saturated connections will probably not gain much performance. Try experimenting with this feature to see if it will actually improve performance for your connections.
The new version is available at http://apps.splunk.com/app/1454/ and is completely free! I would like to thank Caleb, Alex, Cary and Roussi and the rest of the team for all the hard work they put into this new release. Happy Splunking!