Create a Post
cancel
Showing results for 
Search instead for 
Did you mean: 
Chris_Butler
Collaborator

How do I get all Source IP's to resolve in SmartLog?

Only some external IP addresses are resolving to FQDN hostnames.

Resolve is checked

Right Clicking on a source IP which does not resolve in the SmartLog GUI and selecting NSLOOKUP resolves to a FQDN at the command line.

I need to troubleshoot email connectivity problems.

This configuration predates my tenure with my company, but we have a backup MX which channels all emails destined for our on-premise Exchange server to a service which redirects them to a single gmail mailbox as a failover.

This is a great idea in theory, but it seems that there are random momentary conditions each day that make emails end up there and the resultant manual forwarding process to get them to the right recipient in our Exchange org is a PITA, especially since I am the only IT/AV/Telecom pro here. And if I am in the middle of something that demands my full attention, there can be delays before I get to forward them.

Anyway, my research into just how (legitimate, non-spammer) sending mail servers handle MX preference tells me that it could be an inability to reach the server to open a socket (temporary glitch in our FIOS connection or along the route that would translate as a single timeout in a continuous ping -t) that triggers an instant switch to the backup MX with the lower priority, or it could be a connection to our mail server that ends abnormally or prematurely, and it could involve a delayed retry to the backup MX, etc. The RFC is not very specific, so there are differences in how each mail server type (Postfix, SendMail, Exchange, etct) handles things by default. Futher how each is configured.

One of the email addresses that seems to be problematic is based out of outlook.com. I need to be able to search on a wildcard by src: *.outlook.com because I would imagine there are a multitude of server IPs that might be doing load balancing for sending from outlook.com.

With major projects going on that must be completed this fiscal year, I have not had the time to RTFM as exhaustively as I did with the previous versions of CheckPoint. I had things down with 77.30 and could find things rather easily in these cases. I have not had time to fully digest all the documentation for 80.10 like I did with 77.30 yet, so I need some help here if anyone could point me in the right direction.

Thanks.

5 Replies
Jerry
Mentor
Mentor

1. have you checked what is the record int /etc/resolve.conf on:

a/ security gateway

b/logging server (if CLM)

c/ management server

and if from CLI(clish/bash) you can resolve names and ptr's ?

--- that's 1st step --

second - resolution (both fwd/rev dns) is essential to smartlog/tracker to work, bear in mind both ways (ptr. based too!).

let me know if that helps, if not - we will go deeper though ...

Jerry

Jerry
0 Kudos
Chris_Butler
Collaborator

We have a 5200 gateway and a Smart-1 410 security management server

We have two AD Domain Controllers that have our ISP’s DNS servers and Google DNS servers in their forwarder lists.

All DNS queries originating from any network devices inside our enterprise point at those two Domain Controllers only.

 

Hence, we set up the gateway and the management servers in the Gaia web gui to point to them as primary and secondary DNS servers (no tertiary)

 

For obfuscation purposes, lets say the primary DC is 172.16.30.10 and the secondary is 172.16.30.11

 

 

An example:

 

nslookup from expert mode command line on both gateway and management server resolve correctly:

Reverse lookup:

 

[Expert@FLIGateway:0]# nslookup 136.147.177.171

Server:         172.16.30.11

Address:        172.16.30.11#53

 

Non-authoritative answer:

171.177.147.136.in-addr.arpa    name = mta2.e-vanguard.com.

 

Authoritative answers can be found from:

 

 

[Expert@FLI-Smart01:0]# nslookup 136.147.177.171

Server:         172.16.30.10

Address:        172.16.30.10#53

 

Non-authoritative answer:

171.177.147.136.in-addr.arpa    name = mta2.e-vanguard.com.

 

Authoritative answers can be found from:

 

 

Forward Lookup:

 

[Expert@FLIGateway:0]# nslookup mta2.e-vanguard.com.

Server:         172.16.30.11

Address:        172.16.30.11#53

 

Non-authoritative answer:

Name:   mta2.e-vanguard.com

Address: 136.147.177.171

 

 

[Expert@FLI-Smart01:0]# nslookup mta2.e-vanguard.com.

Server:         172.16.30.10

Address:        172.16.30.10#53

 

Non-authoritative answer:

Name:   mta2.e-vanguard.com

Address: 136.147.177.171

 

 

 

Resolv.conf files contain:

 

Gateway:

 

#  This file was AUTOMATICALLY GENERATED

#  Generated by /bin/resolv_xlate on Tue Jul  3 17:25:55 2018

#

#  DO NOT EDIT

#

search corp.fliinvestors.com

nameserver 172.16.30.11

nameserver 172.16.30.10

#start SSLVPN name servers from Smart Dashboard

nameserver 172.16.30.10

nameserver 172.16.30.11

#end SSLVPN name servers from Smart Dashboard

 

Management Server

 

#  This file was AUTOMATICALLY GENERATED

#  Generated by /bin/resolv_xlate on Tue Jul  3 18:25:51 2018

#

#  DO NOT EDIT

#

search corp.fliinvestors.com

nameserver 172.16.30.10

nameserver 172.16.30.11

 

0 Kudos
Jerry
Mentor
Mentor

alright Chris, so next step would be what is the name-resolver on your Management Server and Logging  Server? Are  those the same one or they differ? Have you got an "IA" Blade enabled with ldap/ldaps bind to your  AD by any chance?

my suggestion would be to find out how the CLM/Logging server behaves and if you do have your  files in SmartLog (Logging) indexed?

Let mek now how it is configured so we could narrow potential causes of sort of "name-resolution" misbehave.

ps. have you managed to see how your "logging" server behave in terms of the storage, performance or CPU capability? what platform you use  for your logging server responsible for your logging and smart-logging?

Jerry
Frank_Jacques
Explorer

i have same issue, local IPS going to AD for DHCP are not resolved in CP, if a switch is in between doing relays

0 Kudos
Maarten_Sjouw
Champion
Champion

Are you able to resolve those internal addresses from the machine you run the SmartConsole on?

To my knowledge the resolving happens on the local workstation.

Regards, Maarten

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

Upcoming Events

    CheckMates Events