cancel
Showing results for 
Search instead for 
Did you mean: 
Create a Post
Highlighted
Ivory

SIEM can not hit CMA behind NAT

hi Guys,

I have an issue to make a connection between SIEM server and CMA. . This setup is a little bit tricky as there is used NAT. Checkpoint VSX is based on R77.30 where customer's CMA has IP 155.0.0.13 it is linked with customer dedicated MLM (30.249.0.11) based on Gaia R77.30. Customer's SIEM is McAffee application with IP 10.0.0.1. 

The main problem is all these devices are in separated networks divided by FWs and SIEM IP 10.0.0.1 is not allowed in CMA network and same for CMA and CLM 155.0.0.13 and 30.x.x.x are not allowed in customer SIEM network, thus I used NAT.

 

SIEM(10.0.0.1)->checkpoint FW(10.0.0.1 natted to 30.249.0.1)->CMA(155.0.0.13)

reverse flow

CMA(155.0.0.13)->checkpoint FW(155.0.0.13 natted to 30.249.0.13)->SIEM(10.0.0.1)

I am not writing about CLM yet, because first we have to make a connection with CMA.

I see traffic is NATted, drops checked with zdebug. I got trust established on CMA however McAffee still can not connect to CMA. 

diagram.jpg

hope it make sense 🙂

My question is that if this setup is correct and if is possible to make such a connection where is NAT used. 

0 Kudos
5 Replies
Highlighted
Admin
Admin

Re: SIEM can not hit CMA behind NAT

You didn't say if you were using LEA or Log Exporter to get the logs to the SIEM.
In either case, NAT shouldn't make a difference here.
Have you done actual packet captures to verify traffic is flowing at all?
0 Kudos
Highlighted
Ivory

Re: SIEM can not hit CMA behind NAT

hi, 

I am using LEA to get the logs.

yes, I did a captures on both firewalls, traffic is NATted as expected and zdebug did not find any drops (grep set to port 18210 or IPs), also logs without drops.

I wonder if I have set correct Host in OPSEC application properties:

properties.png

Should I used original SIEM Host which is 10.0.0.1 or NATted IP 30.249.0.1?

0 Kudos
Highlighted
Platinum

Re: SIEM can not hit CMA behind NAT

Please take into consideration, that OPSEC objects are not supported in R80. You will need to delete OPSEC objects in order to upgrade management from R77.30 to R80.

Log Exporter is the way to go.

Kind regards,
Jozko Mrkvicka
0 Kudos
Highlighted
Admin
Admin

Re: SIEM can not hit CMA behind NAT

I don't believe that's strictly true.
You can create "OPSEC Application" objects in R80.20.
0 Kudos
Highlighted
Admin
Admin

Re: SIEM can not hit CMA behind NAT

NATted IP is what I would use.
That said, I second the suggestion to use Log Exporter.
0 Kudos