This website uses Cookies. Click Accept to agree to our website's cookie use as described in our Privacy Policy. Click Preferences to customize your cookie settings.
Accept
Reject
Preferences
ABOUT CHECKMATES CYBER SECURITY COMMUNITY & FAQ
Create a Post
Help
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

Are you a member of CheckMates?

×
Sign in with your Check Point UserCenter/PartnerMap account to access more great content and get a chance to win some Apple AirPods! If you don't have an account, create one now for free!
dphonovation
Collaborator
‎2020-12-02 08:37 PM

Spoofed traffic on port tcp/8211 from standby cluster member on Fresh 80.30 Lab setup in VMWare

 

Hi All,

 

I'm lab'ing up a 80.30 environment in VMWare with two CPs. I started with cluster config in HA mode.


I have a successful green cluster up as reported in UI and CLI (show cluster state/ show cluster members interfaces all). My VIP is responding as well, even when one shuts down.

 

However I notice these in my system logs and I'm confused:

 

2020-12-03 04_26_06-Clipboard.png

(In this screenshot, gw-clstmembr-2 is my STANDBY)

The description says "Local Address spoofing"

2020-12-03 04_31_47-Clipboard.png


The interface in question has Anti-Spoofing disabled.


There is also a rule allowing traffic from 10.1.171.0/24 to "gw-cluster" / Service ANY.


The "spoofing" element made me think this is connection tracking traffic however:

1) this is NOT the Sync interface. This is a cluster only interface. Another interface is handling sync.

2) Further google-fu showed tcp/8211 is "Connections between R80 Multi-Domain Security Management Server and Log Server"

 

... and I'm still confused. Is it trying to send log traffic? Why is it spoofed?

0 Kudos
13 Replies
dphonovation
Collaborator
‎2020-12-03 12:55 AM

Note: the "origin" in that first screenshot is the standby cluster member which lead me to:

 https://supportcenter.checkpoint.com/supportcenter/portal?eventSubmit_doGoviewsolutiondetails=&solut...

"SmartView Tracker shows drop logs "Address spoofing" from Standby cluster member for traffic that is directed to the Standby member from the MAC address of the Active member."

However, I do not have VMAC enabled (it would require promiscious mode on my vmware vswitch).

Nor is this traffic directed at the standby, its directed at the VIP.

I'm further confused.

Also, admist these blocks I sometimes get these:

 

2020-12-03 08_52_37-Clipboard.png


Functionally, everything seems to work with the exception of an error message when viewing logs (Yellow bar stating log server is disconnected) but ONLY if I enable log indexing.

0 Kudos
_Val_
Admin
Admin
‎2020-12-03 01:32 AM
In response to dphonovation

on which interface?

0 Kudos
dphonovation
Collaborator
‎2020-12-03 01:35 AM
In response to _Val_

eth0 is my WAN interface

eth1 is my MGMT interface - FW1: 10.1.171.253 / FW2: 10.1.171.254 / VIP: 10.1.171.1

eth2 is my SYNC interface


eth1 is seeing this.

0 Kudos
_Val_
Admin
Admin
‎2020-12-03 01:40 AM
In response to dphonovation

Something is not okay with your VM networks, or log server config. the traffic is about logs FW sends to MGMT log server. It is a mystery to me why the cluster member is sending logs to cluster VIP. 

0 Kudos
dphonovation
Collaborator
‎2020-12-03 01:48 AM
In response to _Val_

Let me post some what I think might be relevant screenshots:

2020-12-03 09_47_56-Clipboard.png2020-12-03 09_47_17-Clipboard.png2020-12-03 09_45_58-Clipboard.png2020-12-03 09_45_35-Clipboard.png

0 Kudos
(1)
_Val_
Admin
Admin
‎2020-12-03 01:35 AM
In response to dphonovation

Another question. Did you install Full HA by any chance? This port should not be used on just GW cluster, AFAIK...

0 Kudos
dphonovation
Collaborator
‎2020-12-03 01:41 AM
In response to _Val_

I don't believe so. Don't think I've come across the term (until you posted and I only see one mention of "full ha" in the guide). I installed from Check_Point_R80.30_T200_Security_Gateway.iso 

 

I followed the ClusterXL Failover Mode guide for HA Mode:
https://dl3.checkpoint.com/paid/48/4808360334cfd91e38eb192da36ea686/CP_R80.30_ClusterXL_AdminGuide.p...

0 Kudos
_Val_
Admin
Admin
‎2020-12-03 02:11 AM
In response to dphonovation

OK, I see your error. Remove this check box and reinstall policy

Screenshot 2020-12-03 at 11.09.31.png

You defined the cluster itself as a log server with it. 

0 Kudos
dphonovation
Collaborator
‎2020-12-03 02:51 AM
In response to _Val_

Will go do so now. Thank you for your quick follow up this morning.

Could you ELI5 to a CP Noob?

I assumed I need this to even be able to view logs (I'm now assuming this isn't the case after your suggestion).

Is having a log server on the same box as the Gateway/FW [that's participating in ClusterXL] not supported?

0 Kudos
dphonovation
Collaborator
‎2020-12-03 03:18 AM
In response to _Val_

Receiving this mesage when I click "OK" to close down the gateway/cluster properties box to uncheck that.

Not finding where to clear this yet...

 

2020-12-03 11_08_30-Clipboard.png

0 Kudos
dphonovation
Collaborator
‎2020-12-03 03:58 AM
In response to _Val_

Attempted to follow this: https://supportcenter.checkpoint.com/supportcenter/portal?eventSubmit_doGoviewsolutiondetails=&solut...

"$FWWDIR/conf/masters file on Security Gateway is overwritten during each policy installation"

In hopes of manually removing what seems to be auto configuration? But every policy install still results in it being overwritten. Applied the action in sk102712 to the cluster object and both gateway objects in GDBEdit.

0 Kudos
dphonovation
Collaborator
‎2020-12-03 06:07 AM
In response to _Val_

3 posts in the moderation queue. This is the 4th. Sorry about that.

 

I made a mistake in following the last sk, though I required to do some more hard digging to be able to uncheck the box you speak of. I went into DBGEdit for the cluster object + the 2 gateways and cleared out send_alerts_to/send_logs_to. Only after that I was able to uncheck it.

.... and now I have no logs. While I await the moderation queue, I flipped my assumption and am now trying to back in the Security_Mgmt.iso on a 3rd VM, into the existing cluster.


A little saddened with this as otherwise I have working HA, routing, NAT'ing, etc.

Is it really not an option to have local logging only on the ACTIVE? I get the lack of "central logging" in that scenario, but still...

0 Kudos
dphonovation
Collaborator
‎2020-12-03 02:52 PM

I almost had it but I royally messed things up and then accidentally rm-rf one of the members *conf folders. Even when I had a single router left though, I couldn't back in a mgmt gateway into an existing cluster.

I used the Python script to save my prototype objects/rules. Blew everything out. Started with the mgmt server first. It all worked out - and even took the Python script restore before I got to applying the latest JumboFix in CSUS.

ALMOST worth the exercise...

0 Kudos

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

View All ≫
Upcoming Events

    Sort by:
    CheckMates Events