topic Re: Checkpoint firewall logging source interface in General Topics

Checkpoint firewall logging source interface

Wayne_Situ — Wed, 25 Oct 2017 05:36:38 GMT

On a Cisco router I could specify syslog is sent from one of its interfaces such as loopback. On a checkpoint firewall could I source syslog from an interface other than what is configured as management that is established with SIC? If not, how could I source syslog from a different interface? thank you

Re: Checkpoint firewall logging source interface

PhoneBoy — Wed, 25 Oct 2017 12:36:46 GMT

The IP used is determined by the routing table in the OS, using the egress interface IP as the source IP.

I suppose you could create a NAT rule to source the relevant traffic from the desired IP.

What's the problem you're trying to solve here?

Re: Checkpoint firewall logging source interface

GabsOliv — Mon, 01 Jul 2019 15:19:50 GMT

Nat Don't work. Any Idea ?

Re: Checkpoint firewall logging source interface

Mike_A — Mon, 01 Jul 2019 17:17:29 GMT

Add a host route for your syslog server out the interface you want to source the traffic from off the gateway.

Re: Checkpoint firewall logging source interface

motiami — Wed, 31 Jul 2019 12:25:57 GMT

I have the same issue where the module is sending logs to the management server using it's external IP as a source for the packets but the SIC between the mgmt server and the FW module is build based on the management IP which is a private IP.

The return traffic does not routed over our WAN network but over the internet and this is incorrect.

is there a way to set the source interface of the logs to be the Mgmt0 interface?

Re: Checkpoint firewall logging source interface

GabsOliv — Tue, 06 Aug 2019 23:30:03 GMT

In my case, solved the issue, creating a dummy object

Re: Checkpoint firewall logging source interface

motiami — Wed, 07 Aug 2019 03:03:04 GMT

Hello and thanks for your reply.

I don't understand your solution, can you please elaborate?

Re: Checkpoint firewall logging source interface

Ilya_Yusupov — Wed, 07 Aug 2019 05:54:50 GMT

Hi,

You have 2 options:

1. Configure Syslog Server behind the interface you want to be the source of syslog messages.

2. You can configure Syslog server behind any interface and you can do Static NAT on a range of the desired interface, it should work.

Re: Checkpoint firewall logging source interface

Moe_89 — Wed, 07 Aug 2019 08:36:20 GMT

On the gateways did you try setting the MGMT interface: "set management interface <if_name>"

Re: Checkpoint firewall logging source interface

motiami — Tue, 24 Sep 2019 11:57:11 GMT

Hi Ilya,

I have configured static NAT so the public IP will be replaced with one of the internal IPs configured on the cluster but still, the packets leave the firewall with the original source IP which is the public.

The external interface IP is 192.192.192.254 and the internal interface IP is 10.1.1.254

I have configured a NAT rule that says" original source - 192.192.192.254" to target 192.168.1.1, replace with the source of 10.1.1.254 and the target remains original.

I tried static and hide NAT and the same result - the source is unchanged.

Any thoughts?

Re: Checkpoint firewall logging source interface

emreturkmenler — Tue, 17 Mar 2020 16:42:09 GMT

Is there any solution for this issue ?

Re: Checkpoint firewall logging source interface

Ilya_Yusupov — Tue, 17 Mar 2020 19:11:57 GMT

as far as i remember there was no issue but miss configuration.

@motiami - can you share what was missing as i don't remember 100%.

Re: Checkpoint firewall logging source interface

_Daniel_ — Wed, 17 Jun 2020 20:57:24 GMT

Hi Guys,

It'll certainly makes out lives bit better in case Check Point introduce a command to set the source interface for syslog

Many thanks,