topic Re: CloudGuard VMSS instance and logging question? in Cloud Firewall

CloudGuard VMSS instance and logging (on premise SMS)

HeikoAnkenbrand — Tue, 22 Mar 2022 14:56:37 GMT

I have a question about logging for CloudGuard VMSS instances and logging.

My management server is on a on premise network and all check point ports are forwarded via static NAT from the internet gateway to the SMS. Unfortunately, I do not receive any log information from the Cloudguard VMSS instance on port 257. There is no traffic on the VMSS gateway or on the on premise internet gateway visible.

tcpdump -i eth0 -nn port --> does not display any packet

I had also tried to implement the following sk102712:
$FWDIR/conf/masters file on Security Gateway is overwritten during each policy installation - procedure to preserve manual changes

Therefore my question:

Does CloudGuard VMSS instances also use port 257?
Or Azure CME mechanissmen are used here to upload loggging informations?

Design:

[Azure VMSS instance] --> [Internet] --> [on premise FW gateway with static NAT rule] --> [SMS]

Re: CloudGuard VMSS instance and logging question?

Nir_Shamir — Wed, 16 Mar 2022 05:55:05 GMT

Hi,

All Check Point Gateways use port 257 for logging , this of course includes CloudGuard Gateways.

which Log Server is configured in the GWs ? is it configured with its public IP or its private IP ?

You should see traffic with port 257 on the GWs , no matter what is configured.

Re: CloudGuard VMSS instance and logging question?

HeikoAnkenbrand — Wed, 16 Mar 2022 06:26:33 GMT

Hi @Nir_Shamir,

Is it configured with a public IP.
Here I do not have the option of specifying a management IP if I roll this out via marketplace.

I am missing the IP address of the management server here:

So I had tried implement sk102712 and configure the "$FWDIR/conf/masters" file. That didn't work either.

Re: CloudGuard VMSS instance and logging question?

Nir_Shamir — Wed, 16 Mar 2022 06:36:07 GMT

the IP Address of the management server in the template is isn't part of the GWs configuration. its just for NSG configuration.

I am guessing you followed sk100583 Scenario 2 to configure the Public IP address of the Management server as the log server ?

Re: CloudGuard VMSS instance and logging question?

HeikoAnkenbrand — Wed, 16 Mar 2022 07:03:26 GMT

Hi @Nir_Shamir,

That's exactly what I did and it doesn't work either.

On the VMSS gateway:

Gguidbedit on SMS :

use_loggers_and_masters = true:

and

define_logging_servers = false:

Re: CloudGuard VMSS instance and logging question?

Nir_Shamir — Wed, 16 Mar 2022 07:13:14 GMT

and you don't see any tcp port 257 traffic on the GWs ?

have you tried installing DB , rebooting GWs .

of there is no logging traffic then something is off

Re: CloudGuard VMSS instance and logging question?

HeikoAnkenbrand — Wed, 16 Mar 2022 09:51:10 GMT

Hi @Nir_Shamir

I had done all that and thanks for the tips.

But I have found the issue!

If I create a static NAT rule for the management object, everything works fine.

Re: CloudGuard VMSS instance and logging question?

HeikoAnkenbrand — Wed, 16 Mar 2022 10:49:30 GMT

Of course, the suboptimal thing is that I have to change the masters for each VMSS instance.
Furthermore, I have to change the GuiDBEdit entries for each VMSS instance.

This is a problem with autoscaling!

Is there a better approach here for a on premise management server connection?

Re: CloudGuard VMSS instance and logging question?

Nir_Shamir — Wed, 16 Mar 2022 10:43:18 GMT

well , basically the NAT configuration on the management server should be enough.

I would change everything back as it was (GUIDBEDIT etc.) and only leave the NAT on the management server.

Re: CloudGuard VMSS instance and logging question?

ori1 — Tue, 22 Mar 2022 14:42:48 GMT

Both solutions do not work!

Re: CloudGuard VMSS instance and logging question?

HeikoAnkenbrand — Tue, 22 Mar 2022 14:54:22 GMT

You may have to implement the following sk171055.

Then you can roll out the parameter via the routing script when activating the VMSS instance.

# vi $MDS_FWDIR/conf/static_route_config_<CONFIGURATION-TEMPLATE-NAME>.sh
# chmod u+x $MDS_FWDIR/conf/static_route_config_<CONFIGURATION-TEMPLATE-NAME>.sh
# autoprov_cfg set template –tn <CONFIGURATION-TEMPLATE-NAME> –cg $MDS_FWDIR/conf/static_route_config_<CONFIGURATION-TEMPLATE-NAME>.sh

Here is the content of the script. The area marked with the dots is the original routing script.

$MDS_FWDIR/conf/static_route_config_<CONFIGURATION-TEMPLATE-NAME>.sh

------------------------------------------------------------------------

#! /bin/bash
ckp_regedit -a SOFTWARE\\CheckPoint\\FW1 FORCE_NATTED_IP -n 1

.......