This website uses Cookies. Click Accept to agree to our website's cookie use as described in our Privacy Policy. Click Preferences to customize your cookie settings.
Accept
Reject
Preferences
ABOUT CHECKMATES CYBER SECURITY COMMUNITY & FAQ
Create a Post
Help
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

Are you a member of CheckMates?

×
Sign in with your Check Point UserCenter/PartnerMap account to access more great content and get a chance to win some Apple AirPods! If you don't have an account, create one now for free!
mato_b
Explorer
‎2019-03-27 03:46 AM

SIEM can not hit CMA behind NAT

hi Guys,

I have an issue to make a connection between SIEM server and CMA. . This setup is a little bit tricky as there is used NAT. Checkpoint VSX is based on R77.30 where customer's CMA has IP 155.0.0.13 it is linked with customer dedicated MLM (30.249.0.11) based on Gaia R77.30. Customer's SIEM is McAffee application with IP 10.0.0.1. 

The main problem is all these devices are in separated networks divided by FWs and SIEM IP 10.0.0.1 is not allowed in CMA network and same for CMA and CLM 155.0.0.13 and 30.x.x.x are not allowed in customer SIEM network, thus I used NAT.

 

SIEM(10.0.0.1)->checkpoint FW(10.0.0.1 natted to 30.249.0.1)->CMA(155.0.0.13)

reverse flow

CMA(155.0.0.13)->checkpoint FW(155.0.0.13 natted to 30.249.0.13)->SIEM(10.0.0.1)

I am not writing about CLM yet, because first we have to make a connection with CMA.

I see traffic is NATted, drops checked with zdebug. I got trust established on CMA however McAffee still can not connect to CMA. 

diagram.jpg

hope it make sense 🙂

My question is that if this setup is correct and if is possible to make such a connection where is NAT used. 

0 Kudos
5 Replies
PhoneBoy
Admin
Admin
‎2019-03-27 06:09 PM

You didn't say if you were using LEA or Log Exporter to get the logs to the SIEM.
In either case, NAT shouldn't make a difference here.
Have you done actual packet captures to verify traffic is flowing at all?
0 Kudos
mato_b
Explorer
‎2019-03-28 06:13 AM
In response to PhoneBoy

hi, 

I am using LEA to get the logs.

yes, I did a captures on both firewalls, traffic is NATted as expected and zdebug did not find any drops (grep set to port 18210 or IPs), also logs without drops.

I wonder if I have set correct Host in OPSEC application properties:

properties.png

Should I used original SIEM Host which is 10.0.0.1 or NATted IP 30.249.0.1?

0 Kudos
JozkoMrkvicka
Authority
Authority
‎2019-03-28 12:14 PM
In response to mato_b

Please take into consideration, that OPSEC objects are not supported in R80. You will need to delete OPSEC objects in order to upgrade management from R77.30 to R80.

Log Exporter is the way to go.

Kind regards,
Jozko Mrkvicka
0 Kudos
PhoneBoy
Admin
Admin
‎2019-03-28 03:02 PM
In response to JozkoMrkvicka

I don't believe that's strictly true.
You can create "OPSEC Application" objects in R80.20.
0 Kudos
PhoneBoy
Admin
Admin
‎2019-03-28 03:00 PM
In response to mato_b

NATted IP is what I would use.
That said, I second the suggestion to use Log Exporter.
0 Kudos

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

View All ≫
Upcoming Events

    CheckMates Events