Create a Post
cancel
Showing results for 
Search instead for 
Did you mean: 
Jeff
Contributor
Contributor
Jump to solution

R80.10 Management + R77.30 EndPoint Management Server

Could we use R80.10 (MNG + GW) and R77.30 EndPoint Security Server together for Capsule Docs deployment?

I mean, could we add R77.30 EndPoint Security Server to R80.10 Management Server?

1 Solution

Accepted Solutions
Daniel_Taney
Advisor

I hope I am understanding your question right. I think there are a couple different answers to your question... First, if the question is just can an R80.10 Management / Gateway co-exist with an R77.30 Endpoint Server in the same environment; the answer is it can. 

The trick becomes that the Endpoint Security Server isn't a Gateway. So, you can't really just establish SIC with it and add it to your R80.10 Management the way you would when you add additional Gateways. So, you will have to administer all of the Capsule Docs elements from inside the R77.30 client separately.  

The good news is you can send your logs from the Endpoint Server to your R80.10 Management. So, at least you can have your logs consolidated into one place. Check out sk72980

The other good news is that R80.20 should resolve the disjointed management with Endpoint. All Check Point products will be manageable under a single management server. There is a public EA of R80.20 Management going on right now. If you are just starting to test the waters with Capsule Docs, it might be worth considering the EA. I think that will make your life a lot easier and eliminate the need to upgrade another R77.30.x product later. 

R80 CCSA / CCSE

View solution in original post

4 Replies
Daniel_Taney
Advisor

I hope I am understanding your question right. I think there are a couple different answers to your question... First, if the question is just can an R80.10 Management / Gateway co-exist with an R77.30 Endpoint Server in the same environment; the answer is it can. 

The trick becomes that the Endpoint Security Server isn't a Gateway. So, you can't really just establish SIC with it and add it to your R80.10 Management the way you would when you add additional Gateways. So, you will have to administer all of the Capsule Docs elements from inside the R77.30 client separately.  

The good news is you can send your logs from the Endpoint Server to your R80.10 Management. So, at least you can have your logs consolidated into one place. Check out sk72980

The other good news is that R80.20 should resolve the disjointed management with Endpoint. All Check Point products will be manageable under a single management server. There is a public EA of R80.20 Management going on right now. If you are just starting to test the waters with Capsule Docs, it might be worth considering the EA. I think that will make your life a lot easier and eliminate the need to upgrade another R77.30.x product later. 

R80 CCSA / CCSE
cezar_varlan1
Collaborator

Hello,

For the purpose of clarity: I am writing this in order to understand how the working scenario of sk72980 looks. I have detailed my experience regarding this in Attempt III below and at this point i am puzzled as i can't find the logs anywhere while i do see LEA going on.

Here goes a very long post!

I am in the somewhat similar situation where i have SMS R80.20 and EP MGMT R80.20. They are separated and working fine in their own jobs.

The first reason to install them separately was prior experience with different HF levels of MGMT and EP and the fact that SB Agent was requesting R77.30.03 and TE was requesting a specific different HF level. 

The second reason to install them separately is that the local CKP team also sold a separate EP MGMT license to the customer and there would be no point in not using it if i can have a dedicated machine to avoid the other prior experience of SMS becoming slow over time as config became bigger and bigger.

The third reason to install them separately is that EP is usually managed by other team than Network Security, This helps with segregation beyond Role Based Admin features of SMS. 

My customer came up with a very normal and plausible request that he would be able to see all the logs in one place. This looked perfectly fine knowing that we have sk35288 (How to enable SmartEvent to read logs from external Security Management Server / externally managed Log Server). I knew it worked, i never suspected that this implies licensing, and i've asked the sk to be updated. So let's start with this log file themed adventure!

Attempt I

Proceeded to configure sk35288 just to discover the error that adding the EP MGMT as a correlation unit cannot be done under SMS with 5 GW license as this one has only one Correlation Unit included. I found out that the 25 version has 4 of those units. The unitary price for a Correlation Unit is 11k compared to the NGSM5 5.9k and EPMGMT 1.5k. I believe the numbers alone show why the customer would not understand why he should pay an extra 11k for seeing his logs in the existing setup. We are speaking about 100 EP Agents. So HW wise the NGSM5 should be able to correlate 100 EP Agents and 1 VE GW. To my memory 1 GW in MGMT licensing is equivalent to 1000 users. 

Here is the error - opened an SR to check and was cordially invited to speak to Account Services. 

Attempt II

Seeing as how the previous attempt ended in failure i went on with the second option. Export syslog.

Proceeded with configuring Log Exporter - Check Point Log Export (sk122323) on the EP MGMT.

This was combined with the well placed checkbox below on the SMS:

After some digging through the dark i managed to also go through SK 102995 (How to export syslog messages from Gaia Security Gateway to a Log Server and view them in SmartView Tracker). The important part was:

[Expert@HostName]# syslog -u ; syslog -r 

This has resulted in a succesful import. But as you would expect in every story there is a twist. And Check Point does sometime like to make the epic one to remember! Logs are unfortunately not parsed.

This is something of a really bad user experience so i decided together with the customer that it cannot be used like this.

There is a possibility to try to augment the result by using sk55020 (How to generate a log parser for third party syslog server). But this would take some time and effort and i don't know what to expect of the results. Anyway if anyone has tried i would be curious to see if it's viable.

Attempt III

Proceeded with sk72980 (How to configure SmartLog/SmartEvent NGSE to read logs from an external Log Server using LEA). This is our thread subject after all. Combined with sk107741 (How to configure SmartEvent NGSE to read logs from an External Log Server using LEA).

Well everything worked according to the instructions. Currently LEA is setup but i have no logs in the Management. Searched for them with fw log and searched for them with Smart Console. Where am i supposed to find them?

I do have LEA communication going on at all times:

17:10:35.000103 IP 10.10.100.100.37989 > 10.10.100.103.18184: Flags [P.], seq 5:9, ack 1, win 29, options [nop,nop,TS val 481979821 ecr 481826465], length 4

17:10:35.000159 IP 10.10.100.103.18184 > 10.10.100.100.37989: Flags [.], ack 9, win 29, options [nop,nop,TS val 481826465 ecr 481979821], length 0

Possible Future Attempt IV

I am thinking there should be a possibility to use sk72980/sk107741/sk35288 examples and edit $INDEXERDIR files and duplicate the :folder ("/opt/CPsuite-R80.20/fw1/log") line to point to a second folder where you could possibly copy the files from the EP MGMT using a script. Have not tested but this looks like the last option i have.

 

[Expert@ckp-mgmt-1:0]# cat log_indexer_custom_settings.conf

(

        :data ("/opt/CPrt-R80.20/log_indexer/data")

        :server_port ("127.0.0.1:18244")

        :dns_resolving (true)

        :dns_backresolving (true)

        :connections (

                :domain (

                        :management (

                                :name (127.0.0.1)

                                :uuid ()

                                :log_files (all)

                                :is_local (true)

                                :read_mode (CPMI)

                        )

                        :log_servers (

                                : (

                                        :name (127.0.0.1)

                                        :uuid ()

                                        :log_files (all)

                                        :folder ("/opt/CPsuite-R80.20/fw1/log")

                                        :is_local (true)

                                        :read_mode (FILES)

                                )

                           )

                )

       )

        :max_disk_space_usage (0)

Well that was a long post. Thanks for bearing with me.

Thanks,

Cezar

0 Kudos
Jeff
Contributor
Contributor

Daniel, yes you are right. Thank you for info. Interesting sk for sending logs to the R80.10 MNG. I'm already in the process of testing R80.20 EA.

0 Kudos
Tomer_Sole
Mentor
Mentor

Awesome, feedback on EA is always welcome

0 Kudos

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

Upcoming Events

    CheckMates Events