topic Re: Rules with GCP Datacenter objects (tags) dropped on the instances of Cloudguard MiG in Cloud Firewall

Rules with GCP Datacenter objects (tags) dropped on the instances of Cloudguard MiG

Chris_Van_Kriek — Thu, 07 Dec 2023 13:48:38 GMT

We successfully connected CME to GCP, all is done per the process. Identity Awareness API enabled and configured. Datacenter object are visible on the Management server. Now, the rules with GCP Datacenter objects (tags) are not being hit. If we enter the subnet manually, the rule is hit. How to troubleshoot this issue, specifically on the gateways in GCP ?

version: R81.20

Re: Rules with GCP Datacenter objects (tags) dropped on the instances of Cloudguard MiG

tomlev — Thu, 07 Dec 2023 16:12:08 GMT

Hi, did you see any errors in SmartConsole logs (blade:"CloudGuard IaaS") or in $FWDIR/log/cloud_proxy.elg?

Re: Rules with GCP Datacenter objects (tags) dropped on the instances of Cloudguard MiG

the_rock — Thu, 07 Dec 2023 16:18:38 GMT

Filter @tomlev mentioned is very useful, I got similar issue solved before with it.

Andy

Re: Rules with GCP Datacenter objects (tags) dropped on the instances of Cloudguard MiG

Chris_Van_Kriek — Thu, 07 Dec 2023 17:01:29 GMT

Thanks for the useful info.

I had already checked the blade='Cloudguard IAAS" filter and it shows that "Mapping of DataCenter GCP finished.. Mapping took 52 seconds etc..."

Also the $FWDIR/log/cloud_proxy.elg reflects the same.

Is there any log on the gateway instances I can check ?

Re: Rules with GCP Datacenter objects (tags) dropped on the instances of Cloudguard MiG

the_rock — Thu, 07 Dec 2023 17:04:37 GMT

Not certain, but maybe see if there are any other files with names that include words proxy or cloud in $FWDIR/log or /var/log dir

Andy

Re: Rules with GCP Datacenter objects (tags) dropped on the instances of Cloudguard MiG

Chris_Van_Kriek — Sun, 10 Dec 2023 07:38:47 GMT

There seems to be a file on the gateways: cloud_config.log, but apart from this:

2023-10-12 05:29:22,864::INFO::run_cmd Executing: dbget installer:self_update_in_progress with:
data=None
env=None
expected_return_codes=(0,)
2023-10-12 05:29:22,872::INFO::Handling error:
Output:
Retry number 1 out of 3

happening twice (it seems the third time it was successfull )

There is also a file, which is a symbolic link cloud-user-data -> /opt/CPcge/log/user_data, but that file doesn't exist.

Re: Rules with GCP Datacenter objects (tags) dropped on the instances of Cloudguard MiG

tomlev — Sun, 10 Dec 2023 08:05:29 GMT

Under the same filter, are there any errors related to the GW update?
Try adding to the filter "AND severity:Critical"

Re: Rules with GCP Datacenter objects (tags) dropped on the instances of Cloudguard MiG

Chris_Van_Kriek — Sun, 10 Dec 2023 08:42:26 GMT

I see errors with that filter from a couple of weeks ago:

Failed to update Data Center objects on gateway gcp-controller--vm-checkpoint-gateway-szrc

And this for all three instances of the GCP MiG.

But when I look at the logs of today, I see that the instances have updated the Data Center objects successfully:

Data Center objects were successfully updated on gateway gcp-controller--vm-checkpoint-gateway-szrc. 1 IPs updated, 0 IPs removed.

Still, the rules with the data center object is not hit. I have put a rule under it, with explicit IP (manually created) of the object, and that one is hit.

Re: Rules with GCP Datacenter objects (tags) dropped on the instances of Cloudguard MiG

the_rock — Sun, 10 Dec 2023 14:07:00 GMT

I would try do remote with TAC to see if there is something we might be missing here...

Cheers,

Andy

Re: Rules with GCP Datacenter objects (tags) dropped on the instances of Cloudguard MiG

Chris_Van_Kriek — Wed, 17 Jan 2024 16:43:54 GMT

I had some sessions with TAC. It was the TTL set in vsec.conf that was too high, so the datacenter objects were not updated correctly.