This website uses Cookies. Click Accept to agree to our website's cookie use as described in our Privacy Policy. Click Preferences to customize your cookie settings.
Accept
Reject
Preferences
ABOUT CHECKMATES CYBER SECURITY COMMUNITY & FAQ
Create a Post
Help
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

Are you a member of CheckMates?

×
Sign in with your Check Point UserCenter/PartnerMap account to access more great content and get a chance to win some Apple AirPods! If you don't have an account, create one now for free!
HeikoAnkenbrand
MVP Diamond
MVP Diamond
‎2022-03-15 04:16 PM
Jump to solution

CloudGuard VMSS instance and logging (on premise SMS)

I have a question about logging for CloudGuard VMSS instances and logging.

My management server is on a on premise network and all check point ports are forwarded via static NAT from the internet gateway to the SMS. Unfortunately, I do not receive any log information from the Cloudguard VMSS instance on port 257. There is no traffic on the VMSS gateway or on the on premise internet gateway visible.

tcpdump -i eth0 -nn port     --> does not display any packet

I had also tried to implement the following sk102712:
$FWDIR/conf/masters file on Security Gateway is overwritten during each policy installation - proced...

Therefore my question:

Does CloudGuard VMSS instances also use port 257?
Or Azure CME mechanissmen are used here to upload loggging informations?

Design:

[Azure VMSS instance]    -->    [Internet]    -->    [on premise FW gateway with static NAT rule]    -->   [SMS]

➜ CCSM Elite, CCME, CCTE ➜ www.checkpoint.tips
(2)
2 Solutions

Accepted Solutions
HeikoAnkenbrand
MVP Diamond
MVP Diamond
‎2022-03-16 02:46 AM
In response to Nir_Shamir
Jump to solution

Hi @Nir_Shamir 

I had done all that and thanks for the tips.

But I have found the issue!

If I create a static NAT rule for the management object, everything works fine.SMS_publicip_m99.jpg


➜ CCSM Elite, CCME, CCTE ➜ www.checkpoint.tips

View solution in original post

(1)
HeikoAnkenbrand
MVP Diamond
MVP Diamond
‎2022-03-22 07:54 AM
In response to ori1
Jump to solution

You may have to implement the following sk171055.

Then you can roll out the parameter via the routing script when activating the VMSS instance.

# vi $MDS_FWDIR/conf/static_route_config_<CONFIGURATION-TEMPLATE-NAME>.sh
# chmod u+x $MDS_FWDIR/conf/static_route_config_<CONFIGURATION-TEMPLATE-NAME>.sh
# autoprov_cfg set template –tn <CONFIGURATION-TEMPLATE-NAME> –cg $MDS_FWDIR/conf/static_route_config_<CONFIGURATION-TEMPLATE-NAME>.sh

Here is the content of the script. The area marked with the dots is the original routing script.

$MDS_FWDIR/conf/static_route_config_<CONFIGURATION-TEMPLATE-NAME>.sh

------------------------------------------------------------------------

#! /bin/bash
ckp_regedit -a SOFTWARE\\CheckPoint\\FW1 FORCE_NATTED_IP -n 1

.......

➜ CCSM Elite, CCME, CCTE ➜ www.checkpoint.tips

View solution in original post

(1)
10 Replies
Nir_Shamir
Employee Employee
Employee
‎2022-03-15 10:55 PM
Jump to solution

Hi,

All Check Point Gateways use port 257 for logging , this of course includes CloudGuard Gateways.

which Log Server is configured in the GWs ? is it configured with its public IP or its private IP ?

You should see traffic with port 257 on the GWs , no matter what is configured.

0 Kudos
HeikoAnkenbrand
MVP Diamond
MVP Diamond
‎2022-03-15 11:26 PM
In response to Nir_Shamir
Jump to solution

Hi @Nir_Shamir,

Is it configured with a public IP.
Here I do not have the option of specifying a management IP if I roll this out via marketplace.
SMS_publicip.jpg

I am missing the IP address of the management server here:
SMS_publicip_2.jpg

So I had tried  implement sk102712 and configure the "$FWDIR/conf/masters" file. That didn't work either.

➜ CCSM Elite, CCME, CCTE ➜ www.checkpoint.tips
0 Kudos
Nir_Shamir
Employee Employee
Employee
‎2022-03-15 11:36 PM
In response to HeikoAnkenbrand
Jump to solution

the IP Address of the management server in the template is isn't part of the GWs configuration. its just for NSG configuration.

I am guessing you followed sk100583 Scenario 2 to configure the Public IP address of the Management server as the log server ?

0 Kudos
HeikoAnkenbrand
MVP Diamond
MVP Diamond
‎2022-03-15 11:59 PM
In response to Nir_Shamir
Jump to solution

Hi @Nir_Shamir,


That's exactly what I did and it doesn't work either.

On the VMSS gateway:
SMS_publicip_m1.jpg

Gguidbedit on SMS :

use_loggers_and_masters = true:

SMS_publicip_m2.jpg

and

define_logging_servers = false:

SMS_publicip_m3.jpg

➜ CCSM Elite, CCME, CCTE ➜ www.checkpoint.tips
0 Kudos
Nir_Shamir
Employee Employee
Employee
‎2022-03-16 12:13 AM
In response to HeikoAnkenbrand
Jump to solution

and you don't see any tcp port 257 traffic on the GWs ?

have you tried installing DB , rebooting GWs .

of there is no logging traffic then something is off

HeikoAnkenbrand
MVP Diamond
MVP Diamond
‎2022-03-16 02:46 AM
In response to Nir_Shamir
Jump to solution

Hi @Nir_Shamir 

I had done all that and thanks for the tips.

But I have found the issue!

If I create a static NAT rule for the management object, everything works fine.SMS_publicip_m99.jpg


➜ CCSM Elite, CCME, CCTE ➜ www.checkpoint.tips
(1)
HeikoAnkenbrand
MVP Diamond
MVP Diamond
‎2022-03-16 02:50 AM
In response to HeikoAnkenbrand
Jump to solution

Of course, the suboptimal thing is that I have to change the masters for each VMSS instance.
Furthermore, I have to change the GuiDBEdit entries for each VMSS instance.

This is a problem with autoscaling!

Is there a better approach here for a on premise management server connection?

➜ CCSM Elite, CCME, CCTE ➜ www.checkpoint.tips
0 Kudos
Nir_Shamir
Employee Employee
Employee
‎2022-03-16 03:43 AM
In response to HeikoAnkenbrand
Jump to solution

well , basically the NAT configuration on the management server should be enough.

I would change everything back as it was (GUIDBEDIT etc.) and only leave the NAT on the management server.

0 Kudos
ori1
Participant
‎2022-03-22 07:42 AM
In response to Nir_Shamir
Jump to solution

Both solutions do not work!

HeikoAnkenbrand
MVP Diamond
MVP Diamond
‎2022-03-22 07:54 AM
In response to ori1
Jump to solution

You may have to implement the following sk171055.

Then you can roll out the parameter via the routing script when activating the VMSS instance.

# vi $MDS_FWDIR/conf/static_route_config_<CONFIGURATION-TEMPLATE-NAME>.sh
# chmod u+x $MDS_FWDIR/conf/static_route_config_<CONFIGURATION-TEMPLATE-NAME>.sh
# autoprov_cfg set template –tn <CONFIGURATION-TEMPLATE-NAME> –cg $MDS_FWDIR/conf/static_route_config_<CONFIGURATION-TEMPLATE-NAME>.sh

Here is the content of the script. The area marked with the dots is the original routing script.

$MDS_FWDIR/conf/static_route_config_<CONFIGURATION-TEMPLATE-NAME>.sh

------------------------------------------------------------------------

#! /bin/bash
ckp_regedit -a SOFTWARE\\CheckPoint\\FW1 FORCE_NATTED_IP -n 1

.......

➜ CCSM Elite, CCME, CCTE ➜ www.checkpoint.tips
(1)
Trending Discussions
NAT for self-originated traffic
Upcoming Events

    Sort by:
    CheckMates Events