Create a Post

CloudGuard VMSS instance and logging (on premise SMS)

Jump to solution

I have a question about logging for CloudGuard VMSS instances and logging.

My management server is on a on premise network and all check point ports are forwarded via static NAT from the internet gateway to the SMS. Unfortunately, I do not receive any log information from the Cloudguard VMSS instance on port 257. There is no traffic on the VMSS gateway or on the on premise internet gateway visible.

tcpdump -i eth0 -nn port     --> does not display any packet

I had also tried to implement the following sk102712:
$FWDIR/conf/masters file on Security Gateway is overwritten during each policy installation - proced...

Therefore my question:

Does CloudGuard VMSS instances also use port 257?
Or Azure CME mechanissmen are used here to upload loggging informations?

Design:

[Azure VMSS instance]    -->    [Internet]    -->    [on premise FW gateway with static NAT rule]    -->   [SMS]

(2)
2 Solutions

Accepted Solutions

Hi @Nir_Shamir 

I had done all that and thanks for the tips.

But I have found the issue!

If I create a static NAT rule for the management object, everything works fine.SMS_publicip_m99.jpg


View solution in original post

(1)

You may have to implement the following sk171055.

Then you can roll out the parameter via the routing script when activating the VMSS instance.

# vi
$MDS_FWDIR/conf/static_route_config_<CONFIGURATION-TEMPLATE-NAME>.sh
# chmod u+x $MDS_FWDIR/conf/static_route_config_<CONFIGURATION-TEMPLATE-NAME>.sh
# autoprov_cfg set template –tn <CONFIGURATION-TEMPLATE-NAME> –cg $MDS_FWDIR/conf/static_route_config_<CONFIGURATION-TEMPLATE-NAME>.sh

Here is the content of the script. The area marked with the dots is the original routing script.

$MDS_FWDIR/conf/static_route_config_<CONFIGURATION-TEMPLATE-NAME>.sh

------------------------------------------------------------------------

#! /bin/bash
ckp_regedit -a SOFTWARE\\CheckPoint\\FW1 FORCE_NATTED_IP -n 1

.......

View solution in original post

(1)
10 Replies
Nir_Shamir
Employee
Employee

Hi,

All Check Point Gateways use port 257 for logging , this of course includes CloudGuard Gateways.

which Log Server is configured in the GWs ? is it configured with its public IP or its private IP ?

You should see traffic with port 257 on the GWs , no matter what is configured.

0 Kudos

Hi @Nir_Shamir,

Is it configured with a public IP.
Here I do not have the option of specifying a management IP if I roll this out via marketplace.
SMS_publicip.jpg

I am missing the IP address of the management server here:
SMS_publicip_2.jpg

So I had tried  implement sk102712 and configure the "$FWDIR/conf/masters" file. That didn't work either.

0 Kudos
Nir_Shamir
Employee
Employee

the IP Address of the management server in the template is isn't part of the GWs configuration. its just for NSG configuration.

I am guessing you followed sk100583 Scenario 2 to configure the Public IP address of the Management server as the log server ?

0 Kudos

Hi @Nir_Shamir,


That's exactly what I did and it doesn't work either.

On the VMSS gateway:
SMS_publicip_m1.jpg

Gguidbedit on SMS :

use_loggers_and_masters = true:

SMS_publicip_m2.jpg

and

define_logging_servers = false:

SMS_publicip_m3.jpg

0 Kudos
Nir_Shamir
Employee
Employee

and you don't see any tcp port 257 traffic on the GWs ?

have you tried installing DB , rebooting GWs .

of there is no logging traffic then something is off

Hi @Nir_Shamir 

I had done all that and thanks for the tips.

But I have found the issue!

If I create a static NAT rule for the management object, everything works fine.SMS_publicip_m99.jpg


(1)

Of course, the suboptimal thing is that I have to change the masters for each VMSS instance.
Furthermore, I have to change the GuiDBEdit entries for each VMSS instance.

This is a problem with autoscaling!

Is there a better approach here for a on premise management server connection?

0 Kudos
Nir_Shamir
Employee
Employee

well , basically the NAT configuration on the management server should be enough.

I would change everything back as it was (GUIDBEDIT etc.) and only leave the NAT on the management server.

0 Kudos
ori1
Participant

Both solutions do not work!

You may have to implement the following sk171055.

Then you can roll out the parameter via the routing script when activating the VMSS instance.

# vi
$MDS_FWDIR/conf/static_route_config_<CONFIGURATION-TEMPLATE-NAME>.sh
# chmod u+x $MDS_FWDIR/conf/static_route_config_<CONFIGURATION-TEMPLATE-NAME>.sh
# autoprov_cfg set template –tn <CONFIGURATION-TEMPLATE-NAME> –cg $MDS_FWDIR/conf/static_route_config_<CONFIGURATION-TEMPLATE-NAME>.sh

Here is the content of the script. The area marked with the dots is the original routing script.

$MDS_FWDIR/conf/static_route_config_<CONFIGURATION-TEMPLATE-NAME>.sh

------------------------------------------------------------------------

#! /bin/bash
ckp_regedit -a SOFTWARE\\CheckPoint\\FW1 FORCE_NATTED_IP -n 1

.......

(1)