In a distributed security systems, where remote FW modules can reach the central SMS both vian Internet and over private MPLS networks, central logging may become a challenge. With SMS behind NAT, FW will try to send logs to the external NAT-ed MGMT IP address. If Internet is not available, logging fails.
It may be necessary to allow logging both via Internet and MPLS, depending on availability. In this case, some manual changes are required.
To override automatic log assignment, one has to perform several action both on Management server and on the remote FW.
Log into expert shell on the FW module. Locate $FWDIR/conf/masters file and create a reserve copy of it as masters.old.
Open file for editing with vi editor tool. Under [Log] section put both internal and NAT-ed IP addresses of MGMT server instead of the object name, as show in the following example (marked bold):
Save and close the file.
Make sure MGMT DB is not locked by an administrative session. Open GUIDBEdit tool and log in to the Management station.
In the object tree, go to Network Objects / network_objects. In the Object Name window find your FW object to change. Use Ctlf-F3 to search, if required. Enter the FW object by double-clicking on it.
In the Fields window search for define_logging_servers field and change its value from True to False. Save database and exit GUIDBEdit tool.
Open SmartDashboard. Locate FW object and go to Logs tab. Make sure FW now uses local log server definitions.
Install policy on the FW.
It may be necessary to allow logging both via Internet and MPLS, depending on availability. In this case, some manual changes are required.
Configuration steps
To override automatic log assignment, one has to perform several action both on Management server and on the remote FW.
On FW module
Log into expert shell on the FW module. Locate $FWDIR/conf/masters file and create a reserve copy of it as masters.old.
Open file for editing with vi editor tool. Under [Log] section put both internal and NAT-ed IP addresses of MGMT server instead of the object name, as show in the following example (marked bold):
[Policy]
mgmt object name
[Log]
MGMT internal IP
MGMT NAT_ed IP
[Alert]
mgmt object name
mgmt object name
[Log]
MGMT internal IP
MGMT NAT_ed IP
[Alert]
mgmt object name
Save and close the file.
On Management
Make sure MGMT DB is not locked by an administrative session. Open GUIDBEdit tool and log in to the Management station.
In the object tree, go to Network Objects / network_objects. In the Object Name window find your FW object to change. Use Ctlf-F3 to search, if required. Enter the FW object by double-clicking on it.
In the Fields window search for define_logging_servers field and change its value from True to False. Save database and exit GUIDBEdit tool.
Open SmartDashboard. Locate FW object and go to Logs tab. Make sure FW now uses local log server definitions.
Install policy on the FW.
There's a simpler solution described in sk100583
ReplyDeleteThanks, David. That did not work in this particular case. The cause is that although MPLS is preferred route, all Check Point FWs other than 11 series send logs to external MGMT NAT-ed address, with default setting in place.
ReplyDeletethe funny part is SIC is working just fine without an additional change in that case, but logs do not.
Thank you for your post, very helpfull
Deleteconsidering it is almost 5 years old, I am surprised you still find it useful :-)
Delete