This website uses Cookies. Click Accept to agree to our website's cookie use as described in our Privacy Policy. Click Preferences to customize your cookie settings.
Accept
Reject
Preferences
ABOUT CHECKMATES CYBER SECURITY COMMUNITY & FAQ
Create a Post
Help
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

Are you a member of CheckMates?

×
Sign in with your Check Point UserCenter/PartnerMap account to access more great content and get a chance to win some Apple AirPods! If you don't have an account, create one now for free!
HansKazan
Contributor
yesterday

Question regarding logging for remotely managed Gateway used for S2S VPN

Hello CheckMates

I have to establish a VPN S2S tunnel with a remotely managed CP-GW. To prepare, I have simulated the environment in my lab (R81.20 JHF 84) and noticed that no amount of NAT or packet manipulation let my "on-prem" SMS receive the logging originating from the VPN-GW.

After following this sk, it worked.
https://support.checkpoint.com/results/sk/sk111954

This leads me to the following questions below.

  • Could someone please elaborate how and why this works on a technical level and if a more modern approach exists that I may have overlooked if the modern answer deviates from what is written in the sk?
  • Additionally, what change or impact does this change to the implied_rules.def file have for the locally managed CP Gateways? How does the functionality of log connections change, if at all, and what steps should then be taken.
  • Furthermore, why does port:257 not show up in the logging after the connection between the VPN-GW and SMS is established? Is it encapsulated in another protocol?

Thank you for your valuable time and input as always!

Labels
0 Kudos
2 Replies
PhoneBoy
Admin
Admin
3 hours ago

We do NOT put management traffic through VPN by design.
The reason is that if your VPN goes down…so does your ability to manage the remote devices.
Changing implied_rules.def (the only way to do that at current) changes this behavior.
This is compiled as part of the policy pushed to all managed gateways (where implied rules are relevant).

0 Kudos
HansKazan
Contributor
3 hours ago
In response to PhoneBoy

Thank you for your response.

So if I understand correctly, TCP/257 is seen as management traffic and hits the implied rules that take priority over whatever is manually defined. However, why is this behavior different for logging? I am able to NAT CPD and related services to the SMS just fine, but failed to find a solution to send logs without the use of a VPN tunnel.

When I was able to forward TCP/257, it was seen (only once) in the logfile, but the logs were not added to the SmartConsole log browser.

If sending the logs over the VPN tunnel would not be recommended, what would be the correct solution?

Thank you for your time!

0 Kudos

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

View All ≫
Upcoming Events

    Sort by:
    CheckMates Events