This website uses Cookies. Click Accept to agree to our website's cookie use as described in our Privacy Policy. Click Preferences to customize your cookie settings.
Accept
Reject
Preferences
ABOUT CHECKMATES CYBER SECURITY COMMUNITY & FAQ
Create a Post
Help
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

Are you a member of CheckMates?

×
Sign in with your Check Point UserCenter/PartnerMap account to access more great content and get a chance to win some Apple AirPods! If you don't have an account, create one now for free!
Peter_Lyndley
Advisor
Advisor
‎2018-09-03 02:54 AM
Jump to solution

MDS and MDLS and masters file

Hi All,

We have a Provider-1 running R80.10 and currently it does everything, policy , logs etc..

However we receive logs to a public IP which is not hosted on any Check Point device, so we have to use the masters file (and GuiDBedit) to achieve the logging.

I have now configured a MD Log server to migrate the logs to, to share the load.

When I change the Log section in masters file to the new log server IP (and push policy), i'm not receiving logs at all ( there is still a connection on port 257 to the cma from the gateway - not the log server), and cert based VPNs stop working.

If i change the IP back to the public IP of the CMA, it works fine again after a policy push, but all logging to the one box.

Is the 'Log' section also used for CRL retrieval ? I would have expected this to be the 'policy' section.

Also is there a way of configuring this to work correctly in the environment we have ?

Has anyone else come across this ?

Labels
1 Solution

Accepted Solutions
_Val_
Admin
Admin
‎2018-09-03 03:31 AM
Jump to solution

You are right, this is not an expected behavior. Please open a support case so we could investigate

View solution in original post

4 Replies
_Val_
Admin
Admin
‎2018-09-03 03:31 AM
Jump to solution

You are right, this is not an expected behavior. Please open a support case so we could investigate

Kaspars_Zibarts
Employee Employee
Employee
‎2018-09-03 01:15 PM
Jump to solution

So you are saying that normal log target change on gateway object in CMA is not working? Remember that you will need to install database and push policy for gateway to be able to connect to CLM.

Just sounds very strange that you have to mess with masters file. Never had any problems with it in my 13 years with Provider-1

0 Kudos
_Val_
Admin
Admin
‎2018-09-03 11:29 PM
In response to Kaspars_Zibarts
Jump to solution

For any MGMT behind NAT, there is always two or three options, none of them ideal: automatic NAT rules, masters file and/or dummy MGMT objects.

masters file allows separating logging and management functionality gracefully, especially in cases when it is not Check Point that do address translation. 

Kaspars_Zibarts
Employee Employee
Employee
‎2018-09-03 11:36 PM
In response to _Val_
Jump to solution

I fully agree, I'm just wondering as 257 port connection has not changed on CMA so it feels like that gateway object has not been updated with new CLM.. Smiley Happy and DB not installed after that to tell CLM to take connections from gateway

Additionally - make sure you can connect from gateway to CLM on port 257 (telnet on port)

And check masters file on CLM not just CMA

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

View All ≫
Upcoming Events

    Sort by:
    CheckMates Events