Create a Post
cancel
Showing results for 
Search instead for 
Did you mean: 
Agent_Smith
Contributor

Architecture question

Hello,

 

We currently have two domains.

1 Domain for DEV which has a MGT station, Firewall Cluster, and Log Server.

1 Domain for Prod which has 2 MGT staitons ( 1 is in HA ) 3 Firewall Clusters each with their own Log Server.

I have 3 questions. Our sales rep told us multi-domain is overkill.

 

  1. We'd like to have central logging. Can we get rid of all Log Servers and send logs from DEV & Prod firewalls (separate domains) to a central Log Server and keep different MGT stations for DEV and Prod.
  2. If we wanted add a third MGT station to the PRD domain can we?
  3. Can we send logs from a firewall cluster to two separate Log Servers. One of which belongs to a different domain. Can we send logs from the DEV firewalls ( SIC with the DEV MGT station ) to the central Log Server that is going SIC with the Prod MGT station.

 

0 Kudos
11 Replies
PhoneBoy
Admin
Admin

Sounds like you should be using Multi-Domain.
Why do you not want to use it?
0 Kudos
Agent_Smith
Contributor

Our Sales Rep said we should not be using it because we are too small of a deployment / organization.
0 Kudos
Wolfgang
Authority
Authority

 Agent_Smith,

first of all I would like to send greetings from Neo...

Best solution for you will be using MultiDomain-Management. With this ou have separate management-domains, separate log servers, but you can see logs from both domains with one logviewer.

With your actual configuration you can't send logs from a gateway to a logserver in another management-domain. You need SIC beetween gateway and logserver and it's not possible to have more then one SIC-trust.

Another way to get the logs from both domains would be using a third party logserver. We had customer the are using SPLUNK. All gateways and management servers sends there logs via Log-Exporter Log Exporter - Check Point Log Export to the SPLUNK server. There is a nice CheckPoint app for splunk available, this gives you a similar view of the logs like in SmartConsole. 

With Log-Exporter you can send your logs to any other Syslog-server not only splunk, maybee this is a solution for you.

Wolfgang

Agent_Smith
Contributor

My understanding is that sending logs to Splunk or another syslog server limits the functionality of the logs because of the view. Can the Splunk App see traffic data?

 

I was told by the sales rep that independent of the SIC you can send logs from a firewall to a different log server. That SIC is only established between MGT and Firewalls.

 

Can we have more than 2 MGT stations on one domain?

0 Kudos
Wolfgang
Authority
Authority

Agent_Smith,

what dou you mean with „traffic data“ to shown in splunk?

There was a threat here for the splunk app New-Splunk-App-for-Check-Point-Logs

 

Yes, you can send logs from a gateway to more then one logserver, but they all have to be in the same domain.

Yes, you can have two management server, but they are running in HA, meaning one is active an the another one is standby.

Wolfgang

0 Kudos
Agent_Smith
Contributor

We have 2 MGT servers with 1 running in HA. Can we setup 2 more in HA?

By traffic I mean can we see firewall drops and accepts of all traffic or is the App like some kind of SmartEvent watereddown.
0 Kudos
Wolfgang
Authority
Authority

You can have only one management server and one HA management server per domain. But you can have more log servers.

In Check Points app for splunk you had a view like in smart event, but you can see the Check Point firewall raw logs in the normal splunk view.

Here is a copy of an example from https://weekly-geekly.github.io/articles/325170/index.html

26126C0E-A663-4EB8-9B74-DB1CBB6ADE8B.png

0 Kudos
Agent_Smith
Contributor

I would imagine looking at drops and accepts in raw Splunk would be useless.
I have received misinfo from my sales rep.
I was told that you can send logs from firewalls to multiple destinations one of which doesn't have to be in your domain and I was told we can have more than 2 MGT stations per domain.
0 Kudos
PhoneBoy
Admin
Admin

Did you get a cost breakdown between going MDM and not MDM?
My understanding is that MDM should be cheaper, unless you're reusing some older licenses or something.

It seems feasible that you could send logs to an externally managed log server.
We definitely support, for instance, a locally managed SMB appliance sending logs to a log server.
I don't see a specific procedure for what you're describing.

In any case, this would be a lot easier with Multi-Domain since all the SIC trust should "just work" due to a common ICA.
0 Kudos
Agent_Smith
Contributor

I asked the sales rep but they said we don't have multidomain licenses.
0 Kudos
PhoneBoy
Admin
Admin

Do you have the required licenses to do what you're proposing now or do you still need to buy licenses?
0 Kudos

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

Upcoming Events

    CheckMates Events