Firewall-1
[Top] [All Lists]
<prev [Date] next>
[Advanced]
 <prev [Thread] next>

Re: [FW-1] Don't receive remote logfiles

from cisco4ng [Permanent Link]
Subject: Re: [FW-1] Don't receive remote logfiles
From: cisco4ng <cisco4ng AT YAHOO DOT COM>
To: FW-1-MAILINGLIST AT AMADEUS.US.CHECKPOINT DOT COM
Date: Fri, 27 Jan 2006 08:28:33 -0800 
I think, in the long run, it will be a much cleaner solution if you just assign 
a public
  IP address to the management server.  That way, you can manage the remote
  firewall even if your local firewall happens to be either a Cisco Pix or 
Raptor or 
  whatever it might be.  Just place the management on a "secure dmz" network
  with public IP and you're good to go, provided that your local security 
policy 
  is strong and secure.
   
  Now what Patrick proposes has several limitations.  One of the limitations,
  if I remember correctly, is that if the remote firewall reboots for whatever 
reason,
  when it comes back online, it may NOT be to "fetch" the policy from the 
Management
  Server.  I could be wrong on this one since the last time I dealt with this 
was in
  August 2004.  The reason is that when you are dealing with Checkpoint SIC and
  Certificate (which the enforcement module and management server are doing), 
they
  just do not work well with NAT.  
   
  While I still think that you should go with assigning public IP to your 
management
  server because it is a much cleaner solution, you should contact checkpoint 
TAC
  and they will explain to you the "pro" and "con" of static NAT the management 
server
  much better than I can.  The reason that I suggested that you should go with
  public IP on the management server is that later down the road, if you want 
to setup 
  a secondary management server at a different location and have it to be able
  to communicate with the  primary management server across the Internet, it 
will
  be much easier for you.  Like I said, when dealing with SIC and certificate, 
it is not
  worth the trouble to NAT.
   
  By the way, back in 2004 when I spoke to one of the checkpoint developer 
engineers
  from Irasel who came here to gave myself and several people a crash course on 
  Provider-1 NG R55, he told me that you will be able to static NAT the 
management
  server across a checkpoint FW without any restrictions, and that it will be 
available
  in NGx.  I could be wrong but last time I checked, there are still 
limitations even with
  NGx.
   
  I hope that will help you make your decision a little easier.
   
  cisco4ng

Patrick Babij <braintek AT VIDEOTRON DOT CA> wrote:
  Here's what you need to do;

- Static NAT your management server object
- In NAT properties of your object, check "Apply for Firewall-1 & VPN-1 
control connections" option.

This will allow the remote fw to send logs to mgmt sever.

If the "Apply for Firewall-1 & VPN-1 control connections" box is not check 
and static NAT is enabled you will be able to push policies to remote fw 
module sucessufully (but will have an error) consequently, remote fw won't 
be able to send logs to mgmt server. I think this is your situation.


----- Original Message ----- 
From: "cisco4ng" 
To: 
Sent: Friday, January 27, 2006 7:21 AM
Subject: Re: [FW-1] Don't receive remote logfiles


> What reinhard is referring to is the "dummy-object" approach where you 
> define the
> secondary mgmt object with static-IP of your management server.
>
> However, if I am not mistaken, starting with R55 and higher, in the 
> management
> server object itself, you have a check box where you can specify that 
> your
> management is behind your local firewall so that it knows what to do. 
> There is
> still limitation to this though.
>
> The best idea, in my opinion, is to give your management a public IP 
> address
> and route this IP through your local firewall. That way, you will not 
> have any problems
> because checkpoint uses SIC and certificate and when NAT is involved, 
> there can
> be problems. From a technical point of view, there is no difference 
> between static
> NAT and public IP because the whole world knows your public IP anyway. 
> What
> matter is what you do on the security policy of the local firewall to 
> protect your
> management server windows 2003.
>
> FYI, I ran into this problem all the times especially when the managment 
> server is
> sitting behind a Cisco Pix firewall. The solution is to either go with 
> what Reinhard
> described above (keep in mind that there are limitations with what you 
> can do with
> this approach due to SIC and certificate), or go assigned public IP to 
> your
> management server. I usually go with the later approach if I know that I 
> have a
> very strong security policy on the Cisco Pix (in your case, your local 
> checkpoint
> firewall).
>
> my 2 cents.
>
> cisco4ng
>
> Reinhard Stich wrote:
> hi,
>
> the best idea for that is to define a secondary mgmt object with
> static-NAT IP of you mgmt-server.
>
> then define this object as log-server and mgmt-server for your remote 
> gateway.
>
> cheers
> reinhard
>
> At 12:52 27.01.2006, you wrote:
>>Hi,
>>
>>I have a central magagment server and two firewalls, one on the same lan
>>as the managment server and one remote.
>>I get logs for the local firewall but not for the remote.
>>
>>I have a rule for this FW to Managment server allow FW1_log
>>I can get the log trough remote file managment.
>>
>>The firewalls are Nokia with 3.8.1-BUILD029 and CPfw1-R55p
>>The managment server is a windows 2003
>>
>>The setup for the local and remote firewall are the same.
>>At Logs and Masters:
>> Schedule log switch at Midnight
>>
>>Aditional logging
>> Forward logs to Managment server
>> Schedule at Midnight
>>
>>Masters
>> Define Masters -> Managment server
>>
>>Log Servers
>> Define Log servers -> Managment Server
>>
>>What must i do to get his working ?
>>
>>TIA
>>
>>=================================================
>>To set vacation, Out-Of-Office, or away messages,
>>send an email to LISTSERV AT amadeus.us.checkpoint DOT com
>>in the BODY of the email add:
>>set fw-1-mailinglist nomail
>>=================================================
>>To unsubscribe from this mailing list,
>>please see the instructions at
>>http://www.checkpoint.com/services/mailing.html
>>=================================================
>>If you have any questions on how to change your
>>subscription options, email
>>fw-1-owner AT ts.checkpoint DOT com
>>=================================================
>
> -- 
> Reinhard Stich ASSIST R.Stich AT internet-security DOT at
> Internet Security AG, 1150 Wien, Johnstrasse 29
> Tel: +43 1 3709440 RS784-RIPE Fax: +43 1 3709440-333
>
> =================================================
> To set vacation, Out-Of-Office, or away messages,
> send an email to LISTSERV AT amadeus.us.checkpoint DOT com
> in the BODY of the email add:
> set fw-1-mailinglist nomail
> =================================================
> To unsubscribe from this mailing list,
> please see the instructions at
> http://www.checkpoint.com/services/mailing.html
> =================================================
> If you have any questions on how to change your
> subscription options, email
> fw-1-owner AT ts.checkpoint DOT com
> =================================================
>
>
>
>
> ---------------------------------
>
> What are the most popular cars? Find out at Yahoo! Autos
>
> =================================================
> To set vacation, Out-Of-Office, or away messages,
> send an email to LISTSERV AT amadeus.us.checkpoint DOT com
> in the BODY of the email add:
> set fw-1-mailinglist nomail
> =================================================
> To unsubscribe from this mailing list,
> please see the instructions at
> http://www.checkpoint.com/services/mailing.html
> =================================================
> If you have any questions on how to change your
> subscription options, email
> fw-1-owner AT ts.checkpoint DOT com
> ================================================= 

=================================================
To set vacation, Out-Of-Office, or away messages,
send an email to LISTSERV AT amadeus.us.checkpoint DOT com
in the BODY of the email add:
set fw-1-mailinglist nomail
=================================================
To unsubscribe from this mailing list,
please see the instructions at
http://www.checkpoint.com/services/mailing.html
=================================================
If you have any questions on how to change your
subscription options, email
fw-1-owner AT ts.checkpoint DOT com
=================================================
  


                
---------------------------------
Do you Yahoo!?
 With a free 1 GB, there's more in store with Yahoo! Mail.

=================================================
To set vacation, Out-Of-Office, or away messages,
send an email to LISTSERV AT amadeus.us.checkpoint DOT com
in the BODY of the email add:
set fw-1-mailinglist nomail
=================================================
To unsubscribe from this mailing list,
please see the instructions at
http://www.checkpoint.com/services/mailing.html
=================================================
If you have any questions on how to change your
subscription options, email
fw-1-owner AT ts.checkpoint DOT com
=================================================
[More with this subject...]
<Prev in Thread] Current Thread [Next in Thread>
Previous by Date:  [FW-1] Smartview tracker access trouble, erwan.le.bras AT libertysurf DOT fr
Next by Date:  Re: [FW-1] Authentication schemes: RADIUS vs Checkpoint certificate, Lars Troen
Previous by Thread:  Re: [FW-1] Don't receive remote logfiles, Patrick Babij
Next by Thread:  Re: [FW-1] Don't receive remote logfiles, Lino Eduardo Avila Rodríguez
Indexes:  [Date] [Thread] [Top] [All Lists]