CPUG: The Check Point User Group

Resources for the Check Point Community, by the Check Point Community.


Tim Hall has done it yet again - That's right, the 3rd edition is here!
You can read his announcement post here.
It's a massive upgrade focusing on current versions, and well worth checking out. -E

 

Results 1 to 12 of 12

Thread: how to make the gateway send logs to the domain server public ip

  1. #1
    Join Date
    2013-09-20
    Posts
    5
    Rep Power
    0

    Default how to make the gateway send logs to the domain server public ip

    Hi


    I have mdsm server and a domain server added to it that are behind a nat device. I also have a gateway at another site also behind a nat device. The gateway is communicating with the mdsm fine but I cannot make it send the logs to its management server. I can perfectly fine change policies and push to the gateway but when I do fw fetch name-of-server it tries to communicate with the internal domain server IP and I do not know how to make it communicate with the public IP assigned to it which is natted to that internal IP. How can I make the gateway communicate with the management servers public IP and not the private one?

    When I run tcpdump on 257 I see that it tries to send the logs to the private IP of the domain managment server which was set when I added it in the MDSM initailly and cannot be edited.

    Thanks in advance if anyone can help
    Attached Thumbnails Attached Thumbnails Click image for larger version. 

Name:	2.JPG 
Views:	124 
Size:	100.9 KB 
ID:	807   Click image for larger version. 

Name:	1.JPG 
Views:	94 
Size:	63.9 KB 
ID:	806   Click image for larger version. 

Name:	4.JPG 
Views:	82 
Size:	59.2 KB 
ID:	808  

  2. #2
    Join Date
    2014-01-12
    Posts
    30
    Rep Power
    0

    Default Re: how to make the gateway send logs to the domain server public ip

    Try editing $FWDIR/conf/masters

    https://supportcenter.checkpoint.com...tionid=sk38848

    "Verify the contents of $FWDIR/conf/masters file on Security Gateway"

    It can take a hostname or IP address in the relevant section.

  3. #3
    Join Date
    2013-09-20
    Posts
    5
    Rep Power
    0

    Default Re: how to make the gateway send logs to the domain server public ip

    thank for the reply. I did try this using another sk and put the external IP on the sms but the firewall still kept sending to the old internal IP. Plus when you re-push the policy that setting is reverted back automatically.

  4. #4
    Join Date
    2007-06-04
    Posts
    3,314
    Rep Power
    17

    Default Re: how to make the gateway send logs to the domain server public ip

    That setting is overwritten unless you say to use local definition for the Masters.

    Otherwise define a Check Point Host and enable the Secondary Management Server and Logging

    The under the Gateway Definition specify the secondary Management Server node as to where to log and also for the Fetch Policy

  5. #5
    Join Date
    2011-08-02
    Location
    http://spikefishsolutions.com
    Posts
    1,657
    Rep Power
    10

    Default Re: how to make the gateway send logs to the domain server public ip

    I'm not sure if this is the correct way to do this (but is it the most disgusting, so thats a plus) or if this what mcnallym is saying (i think it is), but what you can do is create a dummy checkpoint object with logging enabled. Don't worry about sic. For the IP of the dummy object put the external NAT IP you have, then use this object in the dest field of your nat rule. Next point the translated IP to your real internal CLM/CMA/Management Server. On the firewall tell it to send logs to this dummy log server and then it should work.

    I don't know if that is the correct way to do it, but i know it works.
    Last edited by jflemingeds; 2014-05-02 at 09:36. Reason: dramatic chimpmunk edit

  6. #6
    Join Date
    2005-11-25
    Location
    United States, Southeast
    Posts
    857
    Rep Power
    15

    Default Re: how to make the gateway send logs to the domain server public ip

    Quote Originally Posted by jflemingeds View Post
    I'm not sure if this is the correct way to do this or if this what mcnallym is saying (i think it is), but what you can do is create a dummy checkpoint object with logging enabled. Don't worry about sic. For the IP of the dummy object put the external NAT IP you have, then use this object in the dest field of your nat rule. Next point the translated IP to your real internal CLM/CMA/Management Server. On the firewall tell it to send logs to this dummy log server and then it should work.
    Please don't do this.. Such a disgusting solution. Clutters up SmartView Monitor amongst other things.


    There are two solutions:


    1. Implicit behavior; assumes Anti-spoofing and routing are configured to Best-Practices/minimalistic .

    Simply have correct routing and anti-spoofing. It should figure out and use the Automatic NAT IP if the private IP is not behind the gateway; included in Anti-Spoofing/Topology.

    Don't use any wide sweeping summary routes like 10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16 in routing or Anti-spoofing.


    OR

    2. Manual NAT rule

    Make sure your routing will send packet to the log server's private IP out the appropriate interface ( Internet router ). Then you can add a Manual NAT rule that says:

    (Gateway's External IP; likely the gateway's CheckPoint object) (CheckPoint object of log server) (Any Service) (Original Source) (Host object - Log server's Public IP) (Original Service)

    If this is for a cluster, then include a group, with cluster members, in the source; or make two separate NAT rules, one for each cluster member.
    Remember that Firewall policy implicitly includes the IPs from topology, but NAT rules ignore topology and only use the IP Address from the object's General Properties.

    You may have to restart checkpoint; cpstop and cpstart to clear any previous NAT/Non-NAT decisions.


    Validate using netstat (or ss) and tcpdump.

    tcpdump -nn -i ExternalInterfaceNameHere -s0 -p port 257

    netstat -anp | grep :257

  7. #7
    Join Date
    2013-09-20
    Posts
    5
    Rep Power
    0

    Default Re: how to make the gateway send logs to the domain server public ip

    Thank you for the help so far.

    I did try the dummy object and it worked initially but when I was pushing the policy again it was reverting to the private IP of my domain server.

    I will try the NAT - thanks for that.

    The MDSM is behind Cisco ASA so all the translation should happen on the ASA and the MDSM and the domain server should have private IPs.

    The guys from Checkpoint (looks like their support hasn`t seem mdsm) are trying to convince me that I need public IPs for the domain servers. Meaning to put public IP when I am adding the domain server in mdsm. That doesn`t make any sense to me (MDSM would be in the internal network behind a firewall, why would I want to connect it to the outside interface to be able to assign public IP to the VM).

    Can you please confirm if it is possible to have private IPs for the mdsm and CMA or is it true that I need only public IPs to these when I am creating the CMAs? The CP guy is constantly pointing me to the installation guide which isn`t clear enough and I have the feeling that he has never seen MDSM in his life

    I am doing all the needed NAT translation on the ASA and have public IPs for my management server.


    Click image for larger version. 

Name:	Capture.JPG 
Views:	107 
Size:	70.9 KB 
ID:	809?

  8. #8
    Join Date
    2011-08-02
    Location
    http://spikefishsolutions.com
    Posts
    1,657
    Rep Power
    10

    Default Re: how to make the gateway send logs to the domain server public ip

    Quote Originally Posted by tme45 View Post
    Thank you for the help so far.

    I did try the dummy object and it worked initially but when I was pushing the policy again it was reverting to the private IP of my domain server.

    I will try the NAT - thanks for that.

    The MDSM is behind Cisco ASA so all the translation should happen on the ASA and the MDSM and the domain server should have private IPs.

    The guys from Checkpoint (looks like their support hasn`t seem mdsm) are trying to convince me that I need public IPs for the domain servers. Meaning to put public IP when I am adding the domain server in mdsm. That doesn`t make any sense to me (MDSM would be in the internal network behind a firewall, why would I want to connect it to the outside interface to be able to assign public IP to the VM).

    Can you please confirm if it is possible to have private IPs for the mdsm and CMA or is it true that I need only public IPs to these when I am creating the CMAs? The CP guy is constantly pointing me to the installation guide which isn`t clear enough and I have the feeling that he has never seen MDSM in his life

    I am doing all the needed NAT translation on the ASA and have public IPs for my management server.


    Click image for larger version. 

Name:	Capture.JPG 
Views:	107 
Size:	70.9 KB 
ID:	809?
    For sure, comfirmed by muliple people that you can have private IPs on your management server and get logs to them from a public ip. I think the problem is your jumping around on solutions. Pick one and stick with it until its fixed. I know its confusing since there are at least 3 SKs that describe the disgusting solution I brought up and maybe 2 more that describe the other solution that everyone else is saying. Maybe go with that one. Get everything setup like you think it should be then take more screen shots.

  9. #9
    Join Date
    2013-09-20
    Posts
    5
    Rep Power
    0

    Default Re: how to make the gateway send logs to the domain server public ip

    Thanks a lot to all.

  10. #10
    Join Date
    2011-08-02
    Location
    http://spikefishsolutions.com
    Posts
    1,657
    Rep Power
    10

    Default Re: how to make the gateway send logs to the domain server public ip

    So does that mean you got it working? What was the final fix if so?

  11. #11
    Join Date
    2013-09-20
    Posts
    5
    Rep Power
    0

    Default Re: how to make the gateway send logs to the domain server public ip

    tried all of these. created dummy object and that worked partly. I was getting the logs but if I reboot or push the policy again firewall again starts sending to the internal ip.
    so i had to do a policy change and push again. then firewall starts sending to the public ip. not a good solution for me obviously.

    tried the NAT but it didn`t work.

    the implicit behaviour option was not clear enough for me - i have a very simple environment with one subnet only so I couldn`t see what can be improved there.

    i am pretty much giving up. The checkpoint support are beyond a laugh!

    posting this in case some bright mind comes up with something

    Thanks

  12. #12
    Join Date
    2011-08-02
    Location
    http://spikefishsolutions.com
    Posts
    1,657
    Rep Power
    10

    Default Re: how to make the gateway send logs to the domain server public ip

    yeah i'm not sure the automatic nat option will work since your inet firewall isn't a checkpoint. I have a feeling the dummy object is your only option.

    Anyone have thoughts on that? If you want i'll help you out with that. Just get everything setup and we'll have to see what is changing after a policy push/reboot. Only think i can think is that for some reason its loosing access to the external IP for some reason and then falling back to the internal IP.

    I think i may have missed a step as well. I'm thinking the dummy object should have management as well as logging so you can pull a new policy on reboot.
    Last edited by jflemingeds; 2014-05-12 at 10:44.

Similar Threads

  1. How to send logs of messages files in /var/log to syslog server
    By shmilyh in forum Check Point SecurePlatform (SPLAT)
    Replies: 7
    Last Post: 2013-03-28, 11:29
  2. Public IP sent as Encryption Domain
    By JBurke in forum IPsec VPN Blade (Virtual Private Networks)
    Replies: 2
    Last Post: 2009-06-16, 09:51
  3. Send Logs to Third Party Logs Server
    By bsnchd23 in forum Check Point SecurePlatform (SPLAT)
    Replies: 1
    Last Post: 2008-09-08, 14:27
  4. Replies: 0
    Last Post: 2006-11-22, 07:33
  5. Public IP address in encryption domain.
    By vincent vega in forum IPsec VPN Blade (Virtual Private Networks)
    Replies: 3
    Last Post: 2006-09-13, 04:14

Bookmarks

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •