Special Remote Management Conditions

The steps outlined in the previous section work if NAT is not involved. In some situations you may need to manage a firewall over the Internet, and your management module will require NAT to get to the Internet.

Forcing a Firewall Module to Log Locally

By default, when a firewall module is remotely managed, any logging is automatically sent to the management module. In some cases you may not want this to occur. One example is when a remote firewall module is accessible only via a relatively slow link, and the overhead imposed by logging across the network is undesirable. Logging is desirable, but it would be far better to do it locally.

The Log Maintenance section in Chapter 5 describes the various options for logging, which includes logging to the local firewall module and then transferring those logs to the management station on a preset schedule. These options are set on the gateway object under subsections of the Log and Alert frame.

Remote Management with NAT

There are situations where you may need to manage your firewall module from a management module subject to address translation. The actual SIC process works okay provided you configure the firewall module to use the NAT address for the management module.

On the management module, create an object of type Check Point host with the remote management's statically NATted IP address. If you are using manual NAT rules, this should already be done, though the object might be a normal workstation object. If so, delete the object and recreate it as an object of type Check Point host. In the Installed Products section of the General frame of your new Check Point host object, select Log Server.

Next, you will go into the gateway object definition. Go to the appropriate gateway object on the management station. Select the Masters frame under Log and Alert. Select the option "Use local definitions for Masters." You will get a warning about this affecting the Additional Logging frame as well. Select yes. Install the security policy.

On the firewall module, do a cpstop. Edit the file $FWDIR/conf/masters, which will look something like the following:


Change all three instances of your management module object (snuffleupagus in this example) to the new Check Point object you created previously.

Now type in cpstart to bring up the firewall module. It should correctly log to the management module using the NAT address, and the management station should be able to push policy to the firewall module without problems.