This website uses Cookies. Click Accept to agree to our website's cookie use as described in our Privacy Policy. Click Preferences to customize your cookie settings.
Accept
Reject
Preferences
ABOUT CHECKMATES CYBER SECURITY COMMUNITY & FAQ
Create a Post
Help
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

Are you a member of CheckMates?

×
Sign in with your Check Point UserCenter/PartnerMap account to access more great content and get a chance to win some Apple AirPods! If you don't have an account, create one now for free!
SecurityNed
Collaborator
‎2024-03-31 12:14 AM
Jump to solution

Logs from External Firewall on a Different Segement is not Showing up

Hello Everyone,

I have a laboratory wherein I have an external firewall and an internal firewall managed by a single Smart-1 appliance residing in the internal network side. Please see diagram below:

 

433054273_3644544375808422_459738827554724271_n.jpg

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

I'm able to see logs comfing from CP FW INT, but not from CP FW EXT. Connectivity from Smart-1 to CP FW EXT is fine as I'm able to push policies to it. On the Log tab on the side of the CP FW EXT firewall, the setting is logs should be forward to the Smart-1 appliance.

Am I missing something or is there any peculiarities in this setup? This is a first on my end so im currerntly confused.

Hoping for the community inisght on this.

0 Kudos
2 Solutions

Accepted Solutions
Amir_Senn
MVP Silver CHKP MVP Silver CHKP
MVP Silver CHKP
‎2024-03-31 02:44 AM
Jump to solution

Do you have a NAT rule defined on MGMT host?

Kind regards, Amir Senn

View solution in original post

(1)
AmirArama
Employee
Employee
‎2024-03-31 04:37 AM
In response to SecurityNed
Jump to solution

so you might have asymmetry,

the external GW go via the internal GW, and the reply from MGMT going directly to the external GW maybe.

bottom line, topology needs to be examined. run 'tcpdump/fw monitor' on all GWs and mgmt to understand how the traffic flows.

run fw ctl zdebug + drop on all GWs on maintenance window to see if & who drops the traffic. (reset with 'fw ctl debug 0')


consider changing the topology. if not, at least make sure all your connections from/to mgmt routed in symmetric way.

 

View solution in original post

(1)
8 Replies
Amir_Senn
MVP Silver CHKP MVP Silver CHKP
MVP Silver CHKP
‎2024-03-31 02:44 AM
Jump to solution

Do you have a NAT rule defined on MGMT host?

Kind regards, Amir Senn
(1)
SecurityNed
Collaborator
‎2024-03-31 03:22 AM
In response to Amir_Senn
Jump to solution

Hello @Amir_Senn

No NAT rules related to the MGMT host IP yet.

May I know what configuration am I lacking?

0 Kudos
AmirArama
Employee
Employee
‎2024-03-31 02:46 AM
Jump to solution

since you have two ip addresses on your MGMT server (is that correct?) i assume in the mgmt host object the MGMT server is configured with it's internal IP, and the external FW attempt to send the logs to this internal IP, but maybe don't have the correct route to it (or the correct anti spoofing configuration on that interface in order not to drop the replies from the mgmt internal IP)

it's just an assumption of what can go wrong in this topology.

can you confirm if this is the case?

0 Kudos
SecurityNed
Collaborator
‎2024-03-31 03:25 AM
In response to AmirArama
Jump to solution

Hello @AmirArama

since you have two ip addresses on your MGMT server (is that correct?) -> Yes, I have 192.168.4.23 and 172.16.16.250 configured in my MGMT interface.
mgmt host object the MGMT server is configured with it's internal IP -> Yes,  this is correct as well.

I want to add to the diagram btw, Both internal and external firewalls are connected physicall, (Internal FW  via WAN port, External FW via an internal interface)

EDIT:

I might have thought about something, do I need to put the 192.168.4.0/24 network on the inteface topology? What I'm scared about this is if I'll add it, I might break the connectivity from my MGMT to the External FW.

0 Kudos
Amir_Senn
MVP Silver CHKP MVP Silver CHKP
MVP Silver CHKP
‎2024-03-31 03:56 AM
In response to SecurityNed
Jump to solution

External FW has a route to 192.168.4.0/24?

Kind regards, Amir Senn
0 Kudos
SecurityNed
Collaborator
‎2024-03-31 04:12 AM
In response to Amir_Senn
Jump to solution

@Amir_Senn 

Yes, but it is through the connection between Internal FW and External FW:

image.png

0 Kudos
AmirArama
Employee
Employee
‎2024-03-31 04:37 AM
In response to SecurityNed
Jump to solution

so you might have asymmetry,

the external GW go via the internal GW, and the reply from MGMT going directly to the external GW maybe.

bottom line, topology needs to be examined. run 'tcpdump/fw monitor' on all GWs and mgmt to understand how the traffic flows.

run fw ctl zdebug + drop on all GWs on maintenance window to see if & who drops the traffic. (reset with 'fw ctl debug 0')


consider changing the topology. if not, at least make sure all your connections from/to mgmt routed in symmetric way.

 

(1)
SecurityNed
Collaborator
‎2024-03-31 04:51 AM
In response to AmirArama
Jump to solution

Hello @Amir_Senn@AmirArama,

Thank you for your insight as I was able to resolve this. I have created a destination route in my External FW in this manner: Destination: MGMT, Gateway: 172.16.16.254, and all External FW logs are now seen in the SMS.

Thank you so much!

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

View All ≫
Upcoming Events

    CheckMates Events