cancel
Showing results for 
Search instead for 
Did you mean: 
Create a Post
Highlighted

Logging not working for Azure CloudGuard gateways and SMS behind NAT

Our topology is as follows:

10.3.3.4/27 - BackEnd Subnet
Azure Firewall (R80.10)
10.2.2.4/27 - FrontEnd Subnet
|
Azure Check Point Cluster Public IP
|
( Internet )
|
1.2.3.4/29
On-Prem Check Point 5400 Series Appliance Cluster (R80.10)
10.1.1.1/24
|
10.1.1.5/24 (1.2.3.5/29 NAT IP)
SmartCenter/Security Management Server (R80.30)


As you can see our SMS is NATed behind our 5400 series appliances which it also manages. The management object has the private 10.1.1.5/24 defined as the IP in the General Properties tab and then public 1.2.3.5/29 is defined in the NAT tab, set to static IP, install on 5400 series gateway and Apply for Security Gateway control connections ticked.

This works for all of our other physical appliances - logging and CRL checking, all fine. However, this does not work for the Azure gateways as they persistently want to get to the SMS on the private IP, which doesn't work.

Things we've tried:

1. Editing the masters file by replacing the SMS name with the public IP of the management then locking the file changes using the chattr command. We've had limited success with this - if we make the change and restart the FWD service it will start working, but if we push policy again it will start using the private IP again. I'm looking for something more permanent.
2. Creating a dummy object with the IP of 1.2.3.5, tick Logging & Status blade, then select this as the logging server for the Azure gateways. The Azure gateways pick up the change, but they still persist in sending logs to the private IP.
3. Tried adding a NAT rule to the top of the NAT policy for anything from src:10.2.2.4/27 (FrontEnd Subnet) to dst: 10.1.1.5 (private SMS) then translate to dst:1.2.3.5 (public SMS). No luck here either.

I originally thought it was because we were using an older R80.10 template, but I've deployed a new R80.20 cluster in Azure and updated to the latest jumbo and we still get the same issue.

Running out of ideas now, any help/suggestions would be appreciated 🙂

0 Kudos
5 Replies
Admin
Admin

Re: Logging not working for Azure CloudGuard gateways and SMS behind NAT

Generally you should not need to chattr the $FWDIR/conf/masters file.
It looks like this SK might apply: https://supportcenter.checkpoint.com/supportcenter/portal?eventSubmit_doGoviewsolutiondetails=&solut...
In which case, you need to contact the TAC for a hotfix.
0 Kudos

Re: Logging not working for Azure CloudGuard gateways and SMS behind NAT

Thanks for the quick response!

In our situation it's the other way round. The gateway is trying the internal SMS IP (which fails), but the public IP of the SMS works. Reckon they'd be able to tweak it to account for this?

For info our SMS is on R80.30 as well.
0 Kudos
Wolfgang
Silver

Re: Logging not working for Azure CloudGuard gateways and SMS behind NAT

Richard,

you can force your gateway to use a specific IP to send logs and getting policy whatever you defined in your management object.

Have a look at $FWDIR/conf/masters file on Security Gateway is overwritten during each policy installation

We used this in a customer environment with some strange NAT configuration beetween SMS and gateways (NAT is done by third party gateways).

Wolfgang

0 Kudos

Re: Logging not working for Azure CloudGuard gateways and SMS behind NAT

Thanks Wolfgang. Will this approach be any different from changing the IP in the masters file and locking it?
0 Kudos
Wolfgang
Silver

Re: Logging not working for Azure CloudGuard gateways and SMS behind NAT

Richard, yes, the change survive a policy install. As you wrote in your first post you experience problems after a policy install, regardless of locking the master file. With the configuration from the knowledgebase article never mind the configuration in SmartCansole, only masters file is used. Wolfgang
0 Kudos