This website uses cookies. By clicking Accept, you consent to the use of cookies. Click Here to learn more about how we use cookies.
Accept
Reject
ABOUT CHECKMATES & FAQ
Create a Post
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Help

Are you a member of CheckMates?

×
Sign in with your Check Point UserCenter/PartnerMap account to access more great content and get a chance to win some Apple AirPods! If you don't have an account, create one now for free!
jfmoral
Participant
‎2022-07-05 10:57 AM

Send Radware syslog messages to Smart Event

Hi.

Does anyone know how can I see syslog messages sent by Radware DDoS appliances in SmartEvent?

I've already configured syslog in Radware Appliances, and I selected the "Accept syslog messages" on SmartEvent configuration.

Do I have to configure something special to receive syslog messages?

 

Thanks in advance.

SmartEvent Smart-1 Appliances 

SmartEvent
SmartEvent
Quantum
Smart-1 Appliances
Smart-1 Appliances
Quantum
0 Kudos
9 Replies
the_rock
Champion
Champion
‎2022-07-05 01:49 PM

Im not personally aware of any special config. Is there communication back and forth?

 

Andy

0 Kudos
jfmoral
Participant
‎2022-07-05 02:13 PM
In response to the_rock

Yes, I created a special rule to permit traffic between Radware appliances and SmartEvent.

I don't see any syslog traffic.

0 Kudos
the_rock
Champion
Champion
‎2022-07-05 02:23 PM
In response to jfmoral

Can you run zdebug on the fw to see if traffic is getting dropped?

0 Kudos
PhoneBoy
Admin
Admin
‎2022-07-05 03:07 PM

Did you follow the steps here: https://supportcenter.checkpoint.com/supportcenter/portal?eventSubmit_doGoviewsolutiondetails=&solut... 

0 Kudos
jfmoral
Participant
‎2022-07-05 05:12 PM
In response to PhoneBoy

DDoS Appliances were implemented by a Radware engineer, those appliances are working correctly and don't have Analytics License, that's why the customer want to send the syslog messages to SmartEvent.

0 Kudos
the_rock
Champion
Champion
‎2022-07-05 05:38 PM
In response to jfmoral

If I were you, I would do some captures on the firewall to make sure thats not blocking this traffic.

0 Kudos
jfmoral
Participant
‎2022-07-05 05:40 PM
In response to the_rock

Yes, tomorrow I will capture traffic.

I'll share you the results.

the_rock
Champion
Champion
‎2022-07-05 05:54 PM
In response to jfmoral

Here are commands I would run...say Radware ip is 10.10.10.100, I would run below commands:

tcpdump -nni any host 10.10.10.100

fw monitor -e "accept host(10.10.10.100);"

fw monitor -F '10.10.10.100,0,0,0,0' -F '0,10.10.10.100,0,0,0'

fw ctl zdebug + drop | grep 10.10.10.100

Andy

0 Kudos
_Val_
Admin
Admin
‎2022-07-06 12:00 AM
In response to PhoneBoy

In addition to what PhoneBoy said, you may want to look into sk55020 as well

0 Kudos