[cmax-security-group] CLM , FW1 , CMA
- From: "Security Operation Center" <soc@xxxxxxxxxxxxx>
- To: <cmax-security-group@xxxxxxxxxxxxx>
- Date: Thu, 29 May 2003 16:07:09 +0530
Hello Ramesh,
I am back in the office. Yes, you should be able to forward logs from multiple
firewalls to a single CLM. Here are the steps you should perform to set up
this configuration. I'm sure you have performed some these because you are
able to log from the COMSAT FW. The configuration for the customer FW should
use the same steps.
Define the CLM
Establish SIC communication from the CMA to the CLM
Define the firewall object on your CMA
Select the Logs and Masters option
Select the Masters option and include the CMA as a master
Select the Log Servers option and include the CLM as a log server
Establish SIC communication from the CMA to the firewall
Install a policy on the firewall that allows log traffic from the Firewall
to the CLM
Install the user database on the CLM (this must occur every time you define a
new firewall)
On the firewall, the $FWDIR/conf/masters file should look something like
this:
[Policy]
CMA-Perimeter
[Log]
CLM-Perimeter
[Alert]
CLM-Perimeter
Do you see connection requests to port 257 leave the firewall? TCPDUMP on the
FW will show this if the policy is allowing the traffic and you can verify the
source and destination addresses. The log traffic will be sourced from the
licensed interface address. Does the CLM network have routing to the licensed
interface network? If this traffic is leaving the
FW, is it reaching the CLM?
Let me know what you find.
Thanks,
Andy Latimer
Lockheed Martin C&NS
Office: (407) 306-4678
E-Mail: andy.latimer@xxxxxxxx
-----Original Message-----
>From: Ramesh.Gaikwad@xxxxxxxxxxxxx [mailto:Ramesh.Gaikwad@xxxxxxxxxxxxx]
Sent: Monday, July 01, 2002 7:20 AM
To: Latimer@xxxxxxxxxxxxxxxx; Andy
Cc: ob.jacob@xxxxxxxxxxxxx; atul.dalal@xxxxxxxxxxxxx
Subject: Re:RE: Customer Log Module Configuration in NG FP1
Dear Andy,
Thanks for your reply.I am able to establish the SIC between My customer log
module and the CMA of my firewall(comsat max firewall).Regarding your
suggestion
in the your mail I am able to install user database in the the CLM object
only
after establishing SIC with CLM. The CLM object with which SIC is
established is
created with valid IP address.I am also able to forward the comsatmax
firewall
log to my customer log module.But same thing I am not able repeat for my
customer's firewall. The CLM is in the network of one of the interface of my
firewall.There are few questions in my mind.
1. SIC already created beween CLM and CMA of comsatmax firewall. Whether a
CLM
is able to establish SIC with multiple CMAs?
2.If yes then How many Management server or CMA can establish SIC with one
CLM.?
3.What is the procedure to establish the SIC between one CLM and multiple
CMAs.?
4.Is there any configuration required to be done at CLM side or at CMA
side(i.e
provider-1)?.
Bottom line: How to forward logs of the multiple firewalls to one CLM in NG
FP1??.
Thanks and Regards,
Ramesh
____________________Reply Separator____________________
Subject: RE: Customer Log Module Configuration in NG FP1
Author: "Latimer, Andy" <andy.latimer@xxxxxxxx>
Date: 6/21/02 9:11 PM
You are very welcome. I enjoyed working with you and all the other
international sites and have no problem providing assistance when possible
in the future. As far as your CLM problem, this sounds like a problem we
encountered when we were testing the NG MLM component. NG components all
talk to each other using SIC communication and require knowledge of the SIC
name of all components they talk to. This name is located in the objects.C
file and this file must be pushed from the management station to the log
server. I believe what you must do is select the "policy" option from the
policy editor window and the select "install users database". This should
provide a list of objects that are defined with Check Point products.
Select the CLM and run the install. I believe this will allow SIC
communication and enable logging. It took us a while to figure out how this
works. Let me know if this works.
Thanks,
Andy Latimer
Lockheed Martin C&NS
Office: (407) 306-4678
E-Mail: andy.latimer@xxxxxxxx
-----Original Message-----
>From: Ramesh.Gaikwad@xxxxxxxxxxxxx [mailto:Ramesh.Gaikwad@xxxxxxxxxxxxx]
Sent: Friday, June 21, 2002 10:46 AM
To: andy.latimer@xxxxxxxx
Cc: ob.jacob@xxxxxxxxxxxxx
Subject: Customer Log Module Configuration in NG FP1
Dear Andy,
This is Ramesh from comsat Max India. We have upgraded our own firewall and
the
our customer's firewall to version NG FP1 and we have also moved provider-1
Brazil. I would like to thank you for your extended support during when we
were
with Provider-1 at Orlando.
After upgrading our firewall to version NG FP1. We also upgraded our
Customer
Log Module to same version. The CLM is in our premises. But after upgrading
CLM,
the firewall is unable to forward log to CLM. It is forwarding log only to
the
CMA.We have done appropriete configuartion in the firewall object. But still
it
is not forwarding logs to the CLM. If you know the procedure to Forward log
onto
CLM, please let me know.In the version 4.1 we were able to forward logs to
CLM.
But it is not happening in the case of NG version.
Thanks and Regards,
Ramesh
Other related posts:
- » [cmax-security-group] CLM , FW1 , CMA
