Re: S1C forwarding LOGS

RemoteUser

Hi mates,
I have a question.

Is it possible to forward logs to a SIEM using TCP without SSL/TLS when using Smart-1 Cloud?

According to the documentation, this seems to be supported:
https://sc1.checkpoint.com/documents/Infinity_Portal/WebAdminGuides/EN/Check-Point-SmartCloud-Admin-...

However, when I contacted TAC, they advised that it’s better to use TLS.
I was wondering if anyone has a working TCP (non-SSL) configuration in production.

Also, does the choice of protocol depend on the specific SIEM being used?

Thanks in advance.

Vincent_Bacher

When I look at the documentation, it clearly states that both SSL-encrypted forwarding and plain forwarding are supported.
The choice of protocol, whether TLS, plain or UDP, depends on what your SIEM supports. Tac's statement is, of course, correct. Encrypted transmission should always be preferred to plain text transmission, even if plain text is supported and works.

and now to something completely different - CCVS, CCAS, CCTE, CCCS, CCSM elite

RemoteUser

100% right Vincent

RemoteUser

We only need to set up this configuration with Tufin, and the Tufin team told us that they support UDP on port 514 and TLS.
However, as far as I know, we already tried UDP, and it doesn’t seem to be working.

Vincent_Bacher

Did you work like discussed here?

https://forum.tufin.com/support/kc/latest/Content/Suite/cp_log-exp_R81.20.htm

I'm an S1C layman, I'm just trying to brainstorm a little.

and now to something completely different - CCVS, CCAS, CCTE, CCCS, CCSM elite

the_rock

Hey bro,

100% possible. We do it for few customers to siem solution. There is TAC case currently for new CP customer using S1C where we have an issue doing it for tcp protocol, so TAC is working on that. You just do it from the portal itself, see below.

Best,
Andy

Vincent_Bacher

Apparently, I wasn't that far off the mark. 🙂

and now to something completely different - CCVS, CCAS, CCTE, CCCS, CCSM elite

the_rock

You got it. @RemoteUser , I know 2 customers where we have this working with tcp/over tls as well. Just not sure this issue we currently have if it is siem or not. TAC guy said he believes it could be log rate problem, but they are still checking it.

Will update you once we have a solution.

Best,
Andy

RemoteUser

https://support.checkpoint.com/results/sk/sk182699 this cloud be a possible solution?

the_rock

100%. Sorry, forgot about it. TAC gave us that sk last week as well.

Best,
Andy

RemoteUser

ok but since we want to export all the logs of the managment i need to configure this rule on all the policy package of the cma?

the_rock

Sounds like that, yes.

Best,
Andy

the_rock

Hey brother,

Were you able to sort this out?

Best,
Andy

RemoteUser

Hi Andy,

Yes, Check Point is sending the logs without any issues. It looks like there’s something in between that’s interfering and causing the logs to arrive incompletely at Tufin.

the_rock

I will let you know how we fix the issue we have with new CP customer. TAC is telling us that all on S1C side is fine, but its so weird, because if we change to send logs say using udp and random port, works for few seconds at a time, or 1 minute, then stops.

Best,
Andy

the_rock

Hey brother,

We spent many hours troubleshooting this. TAC even verified all was fine on S1C side, nat rule was 100% right, but ended up being that we changed cluster object IP from external to internal, modified link selection, pushed policy, then all worked fine, we can now see logs. Appears logs were being sent over maas tunnel interface for some reason, rather than external, like what happens witt environments where this does work.

Best,
Andy

RemoteUser

Hi Bro - whic nat rule ? this ? https://support.checkpoint.com/results/sk/sk182699

the_rock

Nope...thats regular rule, Im talking about actual nat rule. In this dst is wan IP of the cluster (VIP) and then dst is log collector.

Best,
Andy

RemoteUser

Ah, got it 😄 that’s why it seemed strange to me to talk about NAT with that rule 😄

the_rock

Always good to be sure 🙂

Best,
Andy

the_rock

By the way, as far as source of the regular policy (NOT nat one), you can obviously include whatever else needed. We added our SASE ip as well, as we always connect to it.

Best,
Andy

AlexVaisberg

Hi,
Event Forwarding from the portal also supports TLS (non-SSL) configuration.

Are there any customers interested in enabling this? If so, we’d be happy to assist and gather feedback.

Step 4 in the attached:
https://sc1.checkpoint.com/documents/Infinity_Portal/WebAdminGuides/EN/Infinity-Portal-Admin-Guide/C...

Are you a member of CheckMates?

S1C forwarding LOGS