topic Re: Sending logs from Checkpoint R80.40 to Remote server in Firewall and Security Management

Sending logs from Checkpoint R80.40 to Remote server

Mahadevan — Mon, 06 Dec 2021 07:02:25 GMT

Hello all,

I have installed Checkpoint R80.40 in Vmware. I have created Network object and also created syslog server with port number. It is showing in Smartconsole logs that data is accepted from Firewall to Remote server.

But I am not receving logs from Checkpoint to Remote server.

Please find the attachment. Kindly let me know the changes I have to make to send logs from Checkpoint to remote server. Your assistance will be of great help to me.

REgards
Muthu Mahadevan

Re: Sending logs from Checkpoint R80.40 to Remote server

Tal_Paz-Fridman — Mon, 06 Dec 2021 08:08:07 GMT

Just making sure you performed the following steps as well:

1) Defined the Syslog Server - in Objects Pane > Servers > Syslog

2) Added the new Syslog Server to the Security Gateway logging targets - Security Gateway > Logs

Re: Sending logs from Checkpoint R80.40 to Remote server

Mahadevan — Mon, 06 Dec 2021 08:57:27 GMT

Hello,

Thanks for your response.
I have defined the Syslog server IP address in Hosts and created server with Name, Host IP address and Port Number.

For R80.40, I have added the new Syslog Server to the Security Gateway logging targets - Security Gateway > Logs.

For some reason, Logs are not received in remote server. Thanks again for your response. Your assist will be of great help to me.

Regards
Muthu Mahadevan

Re: Sending logs from Checkpoint R80.40 to Remote server

Mahadevan — Mon, 06 Dec 2021 09:21:58 GMT

Also, Just to add the previous comment,

When I check for

[Expert@gw-firewall:0]# fw ctl get int fwsyslog_enable
fwsyslog_enable = 1

But still Logs are not going to Remote server.

Regards
Muthu Mahadevan

Re: Sending logs from Checkpoint R80.40 to Remote server

Ido_Shoshana — Mon, 06 Dec 2021 10:51:57 GMT

Hi Muthu,

Why not using the Log Exporter?

Re: Sending logs from Checkpoint R80.40 to Remote server

Mahadevan — Mon, 06 Dec 2021 12:32:52 GMT

Hello,

I have put the below commands -

cp_log_export add name to_RemoteServer target-server X.X.X.X target-port 514 protocol udp format syslog

cp_log_export restart name to_RemoteServer

I am able to see in the log file in Smartconsole that

* Source IP - Firewall

* Destination - Remote server IP

* Service - UDP/port number

* Description - Traffic accepted.

But the logs are not appearing in the remote server. Could you please let me know the changes to make to receive the logs in remote logging ??

Regards
Muthu Mahadevan

Re: Sending logs from Checkpoint R80.40 to Remote server

Vladimir — Mon, 06 Dec 2021 20:06:19 GMT

What we are missing here is any information about the syslog server you are using and the OS it is running on.

You may have to configure syslog sources from which your server accepts logs and, perhaps, create OS-specific firewall rules allowing inbound traffic on chosen ports.

Re: Sending logs from Checkpoint R80.40 to Remote server

Mahadevan — Tue, 07 Dec 2021 04:18:04 GMT

Hello Vladimir,

Thanks for your response. I have Remote Logging server running in Ubuntu (VirtualBox). I have added security policy in SmartConsole with

Source address - Firewall IP

Destination address - Remote Logging IP address

Action - Accept

Could you please let me know the changes to make if the remote server is running in Ubuntu version ??

Regards
Muthu Mahadevan

Re: Sending logs from Checkpoint R80.40 to Remote server

Vladimir — Tue, 07 Dec 2021 05:06:05 GMT

Firewall will send only Gaia level logs, not the firewall logs. If you have configured log exporter on the management server as per:

cp_log_export add name to_RemoteServer target-server X.X.X.X target-port 514 protocol udp format syslog

and configured the

$AllowedSender UDP, 127.0.0.1, Y.Y.Y.Y/YY

on the Ubuntu side, where Y.Y.Y.Y/YY is the IP and the subnet of the Check Point management server,

then run:

tcpdump -vv port 514

on Ubuntu to see if you are receiving logs from Check Point.

Re: Sending logs from Checkpoint R80.40 to Remote server

Mahadevan — Tue, 07 Dec 2021 07:46:05 GMT

Hello,

I also wanted to check with you with the below configuration,

[Expert@gw-firewall:0]# cp_log_export show

name: CP_FW
enabled: true
target-server: 10.0.2.15
target-port: 1514
protocol: udp
format: syslog
read-mode: raw
export-link: false
export-attachment-link: false

Also when I check for the logs in SmartConsole, Source - Firewall IP, Destination - Remote Logging IP and Action - accept.

Since the status is showing enabled and Connection action is appearing accept in logs, can I assume the logs are sent from firewall to my remote logging ?? Issue is near remote logging ??

Re: Sending logs from Checkpoint R80.40 to Remote server

Vladimir — Tue, 07 Dec 2021 15:55:57 GMT

You can assume that the issue is on the Ubuntu side.

Also, if information in your last post is correct, on Check Point side you are using UDP port 1514 instead of a standard syslog port UDP 514 where Ubuntu may be expecting this traffic.

Unless you have changed the default syslog service port on Ubuntu, I suggest changing it back to 514 on Check Point.

Then use tcpdump on Ubuntu to see if syslog traffic arriving there.

Re: Sending logs from Checkpoint R80.40 to Remote server

Mahadevan — Wed, 08 Dec 2021 07:51:43 GMT

Hello,

Thanks for all the Inputs.

Issue was in Ubuntu side and I have set the redirect Configuration to receive input from Firewall.

Regards
Muthu Mahadevan