This website uses Cookies. Click Accept to agree to our website's cookie use as described in our Privacy Policy. Click Preferences to customize your cookie settings.
Accept
Reject
Preferences
ABOUT CHECKMATES CYBER SECURITY COMMUNITY & FAQ
Create a Post
Help
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

Are you a member of CheckMates?

×
Sign in with your Check Point UserCenter/PartnerMap account to access more great content and get a chance to win some Apple AirPods! If you don't have an account, create one now for free!
Danny
MVP Platinum
MVP Platinum
Monday

Management-HA: Address spoofing error for FW_Log when gateway sends logs cross-site

Environment

  • R82 Management High Availability (Management-HA)
  • Two geographically separated offices: Office A and Office B

Topology

network.png

Issue description

Log forwarding works correctly when traffic stays local:

  • GW-A → Mgmt-A: OK
  • GW-B → Mgmt-B: OK

However, as soon as a gateway sends logs to the management server in the other site, an address spoofing error for FW_Log is triggered:

  • GW-A → Mgmt-B: Spoofing error
  • GW-B → Mgmt-A: Spoofing error

The root cause appears to be that each gateway uses the same source IP regardless of which log server it targets. When the log packet traverses the inter-site link and arrives at the remote gateway, the source IP belongs to the wrong network segment, causing the receiving gateway to flag it as spoofed.

What I have tried / investigated

  • $FWDIR/conf/masters — this file controls which log servers a gateway forwards to (the destination), but it does not provide a way to specify which source IP the gateway should use when initiating the log connection.
  • We would prefer to avoid NAT if at all possible.

Question

Is there a supported method in R82 to control the source IP a gateway uses when sending logs to a specific log server?

For example, GW-A has multiple interfaces. When it sends logs to Mgmt-B across the WAN, is there a way to tell it to use a specific interface IP as the source — similar to how you can pin a source interface for other connections?

Any pointers to sk articles, CLI parameters, or configuration files would be greatly appreciated.

5 Replies
Duane_Toler
MVP Silver
MVP Silver
Monday

This looks like an asymmetric routing issue on the network path between A and B.  You can also update the incoming interface on each gateway to "not check packets from" ... and select a group object containing the gateway in question.

When FWD fires up and initiates the connection to the log server, it binds to the interface closest to said gateway.  It will use this interface until FWD is restarted.  This will explain why the source is always "that" IP on the gateway. There's also a logging_worker process in (at least R82.10) that I believe handles the log forwarding when gateways become disconnected.

If you can afford it, and you can induce a log server failover, SSH into the problematic gateway and restart FWD manually to see if the source IP changes on a new process.  That'll give you the answer.  Then do the "don't check packets from" config.

 

--
Ansible for Check Point APIs series: https://www.youtube.com/@EdgeCaseScenario and Substack
0 Kudos
Danny
MVP Platinum
MVP Platinum
Monday
In response to Duane_Toler

"Don't check packets from" only applies to external interfaces.
Check Point fixed it by itself automagically by switching to another source IP:
FW1_log_spoof.png

0 Kudos
Duane_Toler
MVP Silver
MVP Silver
yesterday
In response to Danny

Excellent.. so FWD worked itself out after a time.  Certainly not "the best" situation, but good that it does adjust.  If this is R82 and lower, you might want to look into the log-forwarding configuration to have the gateway send over its disconnected logs to the management on an interval.  R82.10 has this enabled by default now (yay!).

 

--
Ansible for Check Point APIs series: https://www.youtube.com/@EdgeCaseScenario and Substack
the_rock
MVP Diamond
MVP Diamond
yesterday
In response to Duane_Toler

Thats true, only applies to external interface though.

Best,
Andy
"Have a great day and if its not, change it"
0 Kudos
Lesley
MVP Gold
MVP Gold
yesterday

This is MDS but they refer only to a NAT solution:

https://support.checkpoint.com/results/sk/sk181701

But if you are going to do NAT you will get new issues like:

https://support.checkpoint.com/results/sk/sk163415

https://support.checkpoint.com/results/sk/sk171665

If issues occurs again, after a restart I would still look into above NAT solution / SK's. 

-------
Please press "Accept as Solution" if my post solved it 🙂
0 Kudos

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

View All ≫
Upcoming Events

    Sort by:
    CheckMates Events