1. Home
  2. Networking
  3. Check Point FireWall

Special Remote Management Conditions

The steps outlined in the previous section work if NAT is not involved. In some situations you may need to manage a firewall over the Internet, and your management module will require NAT to get to the Internet.

Forcing a Firewall Module to Log Locally

By default, when a firewall module is remotely managed, any logging is automatically sent to the management module. In some cases you may not want this to occur. One example is when a remote firewall module is accessible only via a relatively slow link, and the overhead imposed by logging across the network is undesirable. Logging is desirable, but it would be far better to do it locally.

The Log Maintenance section in Chapter 5 describes the various options for logging, which includes logging to the local firewall module and then transferring those logs to the management station on a preset schedule. These options are set on the gateway object under subsections of the Log and Alert frame.

Remote Management with NAT

There are situations where you may need to manage your firewall module from a management module subject to address translation. The actual SIC process works okay provided you configure the firewall module to use the NAT address for the management module.

On the management module, create an object of type Check Point host with the remote management's statically NATted IP address. If you are using manual NAT rules, this should already be done, though the object might be a normal workstation object. If so, delete the object and recreate it as an object of type Check Point host. In the Installed Products section of the General frame of your new Check Point host object, select Log Server.

Next, you will go into the gateway object definition. Go to the appropriate gateway object on the management station. Select the Masters frame under Log and Alert. Select the option "Use local definitions for Masters." You will get a warning about this affecting the Additional Logging frame as well. Select yes. Install the security policy.

On the firewall module, do a cpstop. Edit the file $FWDIR/conf/masters, which will look something like the following:

[Policy]
snuffleupagus
[Log]
snuffleupagus
[Alert]
snuffleupagus

Change all three instances of your management module object (snuffleupagus in this example) to the new Check Point object you created previously.

Now type in cpstart to bring up the firewall module. It should correctly log to the management module using the NAT address, and the management station should be able to push policy to the firewall module without problems.



    		Frequently Asked Questions
    		Preface
    		Chapter 1. Introduction to Firewalls
    		Chapter 2. Planning Your FireWall-1 Installation
    		Chapter 3. Installing FireWall-1
    		Chapter 4. Building Your Rulebase
    		Chapter 5. Logging and Alerting
    		Chapter 6. Common Issues
    		Chapter 7. Remote Management
    		The Components
    		Secure Internal Communication
    		Special Remote Management Conditions
    		What You Can Do with Remote Management
    		Moving Management Modules
    		Highly Availabile Management Modules
    		Troubleshooting Remote Management Issues
    		Large-Scale Management Issues
    		Summary
    		Chapter 8. User Authentication
    		Chapter 9. Content Security
    		Chapter 10. Network Address Translation
    		Chapter 11. Site-to-Site VPN
    		Chapter 12. SecuRemote and SecureClient
    		Chapter 13. High Availability
    		Chapter 14. INSPECT
    		Appendix A. Securing Your Bastion Host
    		Appendix B. Sample Acceptable Usage Policy
    		Appendix C. 'firewall-1.conf' File for Use with OpenLDAP v1
    		Appendix D. 'firewall-1.schema' File for Use with OpenLDAP v2
    		Appendix E. Performance Tuning
    		Appendix F. Sample 'defaultfilter.pf' File
    		Appendix G. Other Resources
    		Appendix H. Further Reading