topic Re: Cluster uses VIP to communicate with syslog server in Firewall and Security Management

Cluster uses VIP to communicate with syslog server

AndreasD — Thu, 10 Feb 2022 11:12:39 GMT

Hello,

We have 9 gateways (3 clusters of 3 members each) and we have configured all of them to send syslog to 3rd party log server.

6 devices (2 of the clusters) are sending their syslog properly, one machine at a time.

The last 3 gateways are using the cluster VIP to send syslog data and this is not desired.

There is no NAT employed in this scenario, all this traffic is internal.

Any ideas or tips why this is happening or how we could work around it?

Thank you,

Andreas.

Chris_Atkinson — Thu, 10 Feb 2022 15:10:35 GMT

Are the clusters all the same version?

Review sk31832 / sk34180 and compare the settings for each cluster.

AndreasD — Thu, 10 Feb 2022 15:47:25 GMT

One working cluster is R80.40 not latest JHF. The other working cluster is R81 latest JHF.

The non-working cluster is also R81 latest JHF.

All the clusters are managed by the same management server (R81 latest JHF).

Went through sk31832, checked the table.def on the management server (cat $FWDIR/lib/table.def | grep no_hide_services_ports).

no_hide_services_ports = { <4500,17>, <500, 17>, <259, 17>, <1701, 17>, <5500, 17>};

I would modify table.def on management to reflect the below for syslog traffic:

no_hide_services_ports = { <4500,17>, <500, 17>, <259, 17>, <1701, 17>, <5500, 17>, <514,17>};

but I would rather not to since the other two clusters are working.

I will investigate more tomorrow and if I have any update I will post here.

Thank you.

Gzayas — Thu, 27 Apr 2023 18:36:38 GMT

Were you able to resolve this issue with these SK's?

Ruan_Kotze — Fri, 28 Apr 2023 06:18:05 GMT

I've done NAT rules in the past to work around similar issues in the past - no idea if it's the best or recommended way but it does work.

AndreasD — Fri, 28 Apr 2023 14:44:04 GMT

I haven't looked into the issue again but have upgraded the specific cluster to R81.10 latest JHF a few weeks ago.

From what I observed today, this behavior has been eliminated and the issue is not occurring.