Create a Post
cancel
Showing results for 
Search instead for 
Did you mean: 
E_Lastname
Participant
Jump to solution

Provider-1: Logging to Domain for Remote Gateways in Lab Question

Hello Everyone,

I have a question regarding logging in a provider-1 environment for remote gateways/clusters. I think I know the answer however would like confirmation. I have built up a simple lab following my old R71 Provider-1 lab manual. I have an MDS with two Domains [CMAs] both hidden behind the NOC firewall with all the required rules in place. The first domain manages the NOC and the second the remote cluster. The second domain [non-NOC CMA] has a host object natted to a public IP as per the lab manual documentation. Policy installation works fine however logging is being sent to the remote site’s domain [CMA] using the internal address and not the public IP. Hence causing remote logs to not show up in SmartView Tracker. This was confirmed with a simple packet capture using port 257.

The following doesn’t fix the issue:

  • Manual NAT rule to try forcing the translation.
  • Dummy object with the Public IP of the domain placed under the remote cluster's settings [Logs - Additional Logging Configuration - Log Forwarding]. I added the dummy object and a log forwarding schedule of every minute with out success.

I’m sure a VPN will solve the issue but would like to know if this is the only solution. I re-read the provider-1 docs and understand that a routable IP should be used which would rid myself of this headache. I have no problem re-building my lab or setup a VPN to do so but would like to see if there is another way. Any SK or advice would be much appreciated.

Thanks in advance.

0 Kudos
1 Solution

Accepted Solutions
E_Lastname
Participant

Solved it although using a routable address as per the documentation is the best way to go. You can definitely NAT it behind a firewall and I ended up using a dummy object. I had made the initial mistake of defining the dummy object under Logs - Additional Logging. I completely forgot that there is a section right under logs when you click on it. There was no need to expand and go to the additional logging section and set log forwarding with a defined a schedule. I did notice however that dummy management objects create issues when moving to a newer release and attaching a CPSB-DMN-U to a Domain/CMA.

View solution in original post

0 Kudos
2 Replies
E_Lastname
Participant

Just wanted to add that I just setup a site to site VPN between domains and the problem persists. Traffic using port 257 is still leaving the external interface and not being pushed through the tunnel. I noticed that Varera mentioned the following on CPUG:

With implied rules it is out of vpn tunnel, and there are good reasons to have it this way.

I assume that this is my problem now with the VPN setup. I read that it seems to work according to another CPUG user but he was referencing a Site-to-Site using a third party firewall at the NOC and not another checkpoint device. It's looking more and more like I need routable IPs and a NAT will not work. Look forward to hearing from someone confirming the latter statement if possible.

Cheers.

0 Kudos
E_Lastname
Participant

Solved it although using a routable address as per the documentation is the best way to go. You can definitely NAT it behind a firewall and I ended up using a dummy object. I had made the initial mistake of defining the dummy object under Logs - Additional Logging. I completely forgot that there is a section right under logs when you click on it. There was no need to expand and go to the additional logging section and set log forwarding with a defined a schedule. I did notice however that dummy management objects create issues when moving to a newer release and attaching a CPSB-DMN-U to a Domain/CMA.

0 Kudos

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

Upcoming Events

    CheckMates Events