Create a Post
cancel
Showing results for 
Search instead for 
Did you mean: 
HeikoAnkenbrand
Champion Champion
Champion
Jump to solution

CloudGuard VMSS instance and logging (on premise SMS)

I have a question about logging for CloudGuard VMSS instances and logging.

My management server is on a on premise network and all check point ports are forwarded via static NAT from the internet gateway to the SMS. Unfortunately, I do not receive any log information from the Cloudguard VMSS instance on port 257. There is no traffic on the VMSS gateway or on the on premise internet gateway visible.

tcpdump -i eth0 -nn port     --> does not display any packet

I had also tried to implement the following sk102712:
$FWDIR/conf/masters file on Security Gateway is overwritten during each policy installation - proced...

Therefore my question:

Does CloudGuard VMSS instances also use port 257?
Or Azure CME mechanissmen are used here to upload loggging informations?

Design:

[Azure VMSS instance]    -->    [Internet]    -->    [on premise FW gateway with static NAT rule]    -->   [SMS]

➜ CCSM Elite, CCME, CCTE ➜ www.checkpoint.tips
(2)
2 Solutions

Accepted Solutions
HeikoAnkenbrand
Champion Champion
Champion

Hi @Nir_Shamir 

I had done all that and thanks for the tips.

But I have found the issue!

If I create a static NAT rule for the management object, everything works fine.SMS_publicip_m99.jpg


➜ CCSM Elite, CCME, CCTE ➜ www.checkpoint.tips

View solution in original post

(1)
HeikoAnkenbrand
Champion Champion
Champion

You may have to implement the following sk171055.

Then you can roll out the parameter via the routing script when activating the VMSS instance.

# vi
$MDS_FWDIR/conf/static_route_config_<CONFIGURATION-TEMPLATE-NAME>.sh
# chmod u+x $MDS_FWDIR/conf/static_route_config_<CONFIGURATION-TEMPLATE-NAME>.sh
# autoprov_cfg set template –tn <CONFIGURATION-TEMPLATE-NAME> –cg $MDS_FWDIR/conf/static_route_config_<CONFIGURATION-TEMPLATE-NAME>.sh

Here is the content of the script. The area marked with the dots is the original routing script.

$MDS_FWDIR/conf/static_route_config_<CONFIGURATION-TEMPLATE-NAME>.sh

------------------------------------------------------------------------

#! /bin/bash
ckp_regedit -a SOFTWARE\\CheckPoint\\FW1 FORCE_NATTED_IP -n 1

.......

➜ CCSM Elite, CCME, CCTE ➜ www.checkpoint.tips

View solution in original post

(1)
10 Replies
Nir_Shamir
Employee Employee
Employee

Hi,

All Check Point Gateways use port 257 for logging , this of course includes CloudGuard Gateways.

which Log Server is configured in the GWs ? is it configured with its public IP or its private IP ?

You should see traffic with port 257 on the GWs , no matter what is configured.

0 Kudos
HeikoAnkenbrand
Champion Champion
Champion

Hi @Nir_Shamir,

Is it configured with a public IP.
Here I do not have the option of specifying a management IP if I roll this out via marketplace.
SMS_publicip.jpg

I am missing the IP address of the management server here:
SMS_publicip_2.jpg

So I had tried  implement sk102712 and configure the "$FWDIR/conf/masters" file. That didn't work either.

➜ CCSM Elite, CCME, CCTE ➜ www.checkpoint.tips
0 Kudos
Nir_Shamir
Employee Employee
Employee

the IP Address of the management server in the template is isn't part of the GWs configuration. its just for NSG configuration.

I am guessing you followed sk100583 Scenario 2 to configure the Public IP address of the Management server as the log server ?

0 Kudos
HeikoAnkenbrand
Champion Champion
Champion

Hi @Nir_Shamir,


That's exactly what I did and it doesn't work either.

On the VMSS gateway:
SMS_publicip_m1.jpg

Gguidbedit on SMS :

use_loggers_and_masters = true:

SMS_publicip_m2.jpg

and

define_logging_servers = false:

SMS_publicip_m3.jpg

➜ CCSM Elite, CCME, CCTE ➜ www.checkpoint.tips
0 Kudos
Nir_Shamir
Employee Employee
Employee

and you don't see any tcp port 257 traffic on the GWs ?

have you tried installing DB , rebooting GWs .

of there is no logging traffic then something is off

HeikoAnkenbrand
Champion Champion
Champion

Hi @Nir_Shamir 

I had done all that and thanks for the tips.

But I have found the issue!

If I create a static NAT rule for the management object, everything works fine.SMS_publicip_m99.jpg


➜ CCSM Elite, CCME, CCTE ➜ www.checkpoint.tips
(1)
HeikoAnkenbrand
Champion Champion
Champion

Of course, the suboptimal thing is that I have to change the masters for each VMSS instance.
Furthermore, I have to change the GuiDBEdit entries for each VMSS instance.

This is a problem with autoscaling!

Is there a better approach here for a on premise management server connection?

➜ CCSM Elite, CCME, CCTE ➜ www.checkpoint.tips
0 Kudos
Nir_Shamir
Employee Employee
Employee

well , basically the NAT configuration on the management server should be enough.

I would change everything back as it was (GUIDBEDIT etc.) and only leave the NAT on the management server.

0 Kudos
ori1
Participant

Both solutions do not work!

HeikoAnkenbrand
Champion Champion
Champion

You may have to implement the following sk171055.

Then you can roll out the parameter via the routing script when activating the VMSS instance.

# vi
$MDS_FWDIR/conf/static_route_config_<CONFIGURATION-TEMPLATE-NAME>.sh
# chmod u+x $MDS_FWDIR/conf/static_route_config_<CONFIGURATION-TEMPLATE-NAME>.sh
# autoprov_cfg set template –tn <CONFIGURATION-TEMPLATE-NAME> –cg $MDS_FWDIR/conf/static_route_config_<CONFIGURATION-TEMPLATE-NAME>.sh

Here is the content of the script. The area marked with the dots is the original routing script.

$MDS_FWDIR/conf/static_route_config_<CONFIGURATION-TEMPLATE-NAME>.sh

------------------------------------------------------------------------

#! /bin/bash
ckp_regedit -a SOFTWARE\\CheckPoint\\FW1 FORCE_NATTED_IP -n 1

.......

➜ CCSM Elite, CCME, CCTE ➜ www.checkpoint.tips
(1)

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.