Configuring a CLM to receive logs across Multiple SIC Domains

[mcarey]

Two CMA's in provider-1. Customer has firewalls in both CMA's and doesn't want to bring up another CLM so I need to get firewalls from two different CMA's to log to one firewall.

I was given a procedure which worked for me in one environment, but not in another. CLM is behind a firewall, and is NAT'd to a public address, so I send my logs from my gateways to the Public Address. However, it doesn't seem to work across CMA's. I'm wondering if it is an issue with the SSL (vs. SSLCA) where the keys are not getting exchanged because the IP address's don't match when the traffic arrives at the CLM???

Also, is there a tcpdump feature in CLM on Windows?

[cciesec2006]

Under the CMA properties in the Dashboard NAT section, there is a check
box to tell the firewall that this host is a CMA?

This is a KNOWN issue. I had this conversation way back in 2004. The
issue becomes worse especially if the NAT device is a Cisco Pix.

I think you have to use the "dummy object" approach for this. There is a
a Checkpoint sk for this.

[mcarey]

I did the "fw putkey -p password clm" using the private IP address and it worked.