Friday, January 23, 2015

Overriding default logging settings of FWs

In a distributed security systems, where remote FW modules can reach the central SMS both vian Internet and over private MPLS networks, central logging may become a challenge. With SMS behind NAT, FW will try to send logs to the external NAT-ed MGMT IP address. If Internet is not available, logging fails.

It may be necessary to allow logging both via Internet and MPLS, depending on availability. In this case, some manual changes are required.

Configuration steps


To override automatic log assignment, one has to perform several action both on Management server and on the remote FW.

On FW module


Log into expert shell on the FW module. Locate $FWDIR/conf/masters file and create a reserve copy of it as masters.old.
 Open file for editing with vi editor tool. Under [Log] section put both internal and NAT-ed IP addresses of MGMT server instead of the object name, as show in the following example (marked bold):

[Policy]
mgmt object name
[Log]
MGMT internal IP
MGMT NAT_ed IP

[Alert]
mgmt object name

Save and close the file.

On Management


Make sure MGMT DB is not locked by an administrative session. Open GUIDBEdit tool and log in to the Management station.

In the object tree, go to Network Objects / network_objects. In the Object Name window find your FW object to change. Use Ctlf-F3 to search, if required. Enter the FW object by double-clicking on it.
In the Fields window search for define_logging_servers field and change its value from True to False. Save database and exit GUIDBEdit tool.
Open SmartDashboard. Locate FW object and go to Logs tab. Make sure FW now uses local log server definitions.

Install policy on the FW.

2 comments:

  1. There's a simpler solution described in sk100583

    ReplyDelete
  2. Thanks, David. That did not work in this particular case. The cause is that although MPLS is preferred route, all Check Point FWs other than 11 series send logs to external MGMT NAT-ed address, with default setting in place.

    the funny part is SIC is working just fine without an additional change in that case, but logs do not.

    ReplyDelete