Create a Post
cancel
Showing results for 
Search instead for 
Did you mean: 
mato_b
Explorer

SIEM can not hit CMA behind NAT

hi Guys,

I have an issue to make a connection between SIEM server and CMA. . This setup is a little bit tricky as there is used NAT. Checkpoint VSX is based on R77.30 where customer's CMA has IP 155.0.0.13 it is linked with customer dedicated MLM (30.249.0.11) based on Gaia R77.30. Customer's SIEM is McAffee application with IP 10.0.0.1. 

The main problem is all these devices are in separated networks divided by FWs and SIEM IP 10.0.0.1 is not allowed in CMA network and same for CMA and CLM 155.0.0.13 and 30.x.x.x are not allowed in customer SIEM network, thus I used NAT.

 

SIEM(10.0.0.1)->checkpoint FW(10.0.0.1 natted to 30.249.0.1)->CMA(155.0.0.13)

reverse flow

CMA(155.0.0.13)->checkpoint FW(155.0.0.13 natted to 30.249.0.13)->SIEM(10.0.0.1)

I am not writing about CLM yet, because first we have to make a connection with CMA.

I see traffic is NATted, drops checked with zdebug. I got trust established on CMA however McAffee still can not connect to CMA. 

diagram.jpg

hope it make sense 🙂

My question is that if this setup is correct and if is possible to make such a connection where is NAT used. 

0 Kudos
5 Replies
PhoneBoy
Admin
Admin

You didn't say if you were using LEA or Log Exporter to get the logs to the SIEM.
In either case, NAT shouldn't make a difference here.
Have you done actual packet captures to verify traffic is flowing at all?
0 Kudos
mato_b
Explorer

hi, 

I am using LEA to get the logs.

yes, I did a captures on both firewalls, traffic is NATted as expected and zdebug did not find any drops (grep set to port 18210 or IPs), also logs without drops.

I wonder if I have set correct Host in OPSEC application properties:

properties.png

Should I used original SIEM Host which is 10.0.0.1 or NATted IP 30.249.0.1?

0 Kudos
JozkoMrkvicka
Leader
Leader

Please take into consideration, that OPSEC objects are not supported in R80. You will need to delete OPSEC objects in order to upgrade management from R77.30 to R80.

Log Exporter is the way to go.

Kind regards,
Jozko Mrkvicka
0 Kudos
PhoneBoy
Admin
Admin

I don't believe that's strictly true.
You can create "OPSEC Application" objects in R80.20.
0 Kudos
PhoneBoy
Admin
Admin

NATted IP is what I would use.
That said, I second the suggestion to use Log Exporter.
0 Kudos