topic Re: Architecture question in Firewall and Security Management

Architecture question

Agent_Smith — Tue, 30 Jul 2019 21:33:50 GMT

Hello,

We currently have two domains.

1 Domain for DEV which has a MGT station, Firewall Cluster, and Log Server.

1 Domain for Prod which has 2 MGT staitons ( 1 is in HA ) 3 Firewall Clusters each with their own Log Server.

I have 3 questions. Our sales rep told us multi-domain is overkill.

We'd like to have central logging. Can we get rid of all Log Servers and send logs from DEV & Prod firewalls (separate domains) to a central Log Server and keep different MGT stations for DEV and Prod.
If we wanted add a third MGT station to the PRD domain can we?
Can we send logs from a firewall cluster to two separate Log Servers. One of which belongs to a different domain. Can we send logs from the DEV firewalls ( SIC with the DEV MGT station ) to the central Log Server that is going SIC with the Prod MGT station.

Re: Architecture question

PhoneBoy — Tue, 30 Jul 2019 22:33:42 GMT

Sounds like you should be using Multi-Domain.
Why do you not want to use it?

Re: Architecture question

Agent_Smith — Tue, 30 Jul 2019 22:46:39 GMT

Our Sales Rep said we should not be using it because we are too small of a deployment / organization.

Re: Architecture question

Wolfgang — Wed, 31 Jul 2019 06:20:01 GMT

Agent_Smith,

first of all I would like to send greetings from Neo...

Best solution for you will be using MultiDomain-Management. With this ou have separate management-domains, separate log servers, but you can see logs from both domains with one logviewer.

With your actual configuration you can't send logs from a gateway to a logserver in another management-domain. You need SIC beetween gateway and logserver and it's not possible to have more then one SIC-trust.

Another way to get the logs from both domains would be using a third party logserver. We had customer the are using SPLUNK. All gateways and management servers sends there logs via Log-Exporter Log Exporter - Check Point Log Export to the SPLUNK server. There is a nice CheckPoint app for splunk available, this gives you a similar view of the logs like in SmartConsole.

With Log-Exporter you can send your logs to any other Syslog-server not only splunk, maybee this is a solution for you.

Wolfgang

Re: Architecture question

Agent_Smith — Wed, 31 Jul 2019 20:42:34 GMT

My understanding is that sending logs to Splunk or another syslog server limits the functionality of the logs because of the view. Can the Splunk App see traffic data?

I was told by the sales rep that independent of the SIC you can send logs from a firewall to a different log server. That SIC is only established between MGT and Firewalls.

Can we have more than 2 MGT stations on one domain?

Re: Architecture question

Wolfgang — Wed, 31 Jul 2019 21:08:15 GMT

Agent_Smith,

what dou you mean with „traffic data“ to shown in splunk?

There was a threat here for the splunk app New-Splunk-App-for-Check-Point-Logs

Yes, you can send logs from a gateway to more then one logserver, but they all have to be in the same domain.

Yes, you can have two management server, but they are running in HA, meaning one is active an the another one is standby.

Wolfgang

Re: Architecture question

Agent_Smith — Wed, 31 Jul 2019 21:11:05 GMT

We have 2 MGT servers with 1 running in HA. Can we setup 2 more in HA?

By traffic I mean can we see firewall drops and accepts of all traffic or is the App like some kind of SmartEvent watereddown.

Re: Architecture question

Wolfgang — Wed, 31 Jul 2019 21:33:52 GMT

You can have only one management server and one HA management server per domain. But you can have more log servers.

In Check Points app for splunk you had a view like in smart event, but you can see the Check Point firewall raw logs in the normal splunk view.

Here is a copy of an example from https://weekly-geekly.github.io/articles/325170/index.html

Re: Architecture question

Agent_Smith — Thu, 01 Aug 2019 14:55:54 GMT

I would imagine looking at drops and accepts in raw Splunk would be useless.
I have received misinfo from my sales rep.
I was told that you can send logs from firewalls to multiple destinations one of which doesn't have to be in your domain and I was told we can have more than 2 MGT stations per domain.

Re: Architecture question

PhoneBoy — Sun, 04 Aug 2019 18:44:43 GMT

Did you get a cost breakdown between going MDM and not MDM?
My understanding is that MDM should be cheaper, unless you're reusing some older licenses or something.

It seems feasible that you could send logs to an externally managed log server.
We definitely support, for instance, a locally managed SMB appliance sending logs to a log server.
I don't see a specific procedure for what you're describing.

In any case, this would be a lot easier with Multi-Domain since all the SIC trust should "just work" due to a common ICA.

Re: Architecture question

Agent_Smith — Mon, 05 Aug 2019 15:26:59 GMT

I asked the sales rep but they said we don't have multidomain licenses.

Re: Architecture question

PhoneBoy — Mon, 05 Aug 2019 15:34:48 GMT

Do you have the required licenses to do what you're proposing now or do you still need to buy licenses?