Check Point Firewall R80.x - Training Lab 10 | Adding dedicated log server with some troubleshooting

Video Statistics and Information

Video

Captions Word Cloud

Reddit Comments

Captions

hi and welcome to my channel my name is magnus and today we are going to increase the lab a bit remember this video checkpoint deployment in real world in this video i talked about the management servers need to be like scalable flexible go as much core and memory as possible as big box as possible whenever possible split out the functions so in this case we will not add the identity collector we will add that later on when we have built like an aed and so on and connected to the lab but we are going to do that one we are going to do the dedicated log server so currently we have this environment so we have our management station up here in the left corner we have our windows 10 machine running the smart console so we can manage the management server then we have our cluster providing us with internet and what we will do is to add a second management server so we will add this in in vmware we will add it in vm.6 and we will give it an ipaddress and we will put it on the same vln as the management server it doesn't need to be but it needs to have connectivity to the management server and we will do it in an easy way and normally you have your management stations your log service on the same place and if you don't want to like transfer your old log files and so on to a dedicated server further away fine by me but when it comes to the master station the event server the log server and so on i normally place them in the same dedicated network and honestly i don't have my clients so to say in the same network this is a separate network and management network so this is a management station to manage everything it's not our normal clients here we just do this for the lab sake so what would the reason be why to have a dedicated log server well first of all i mean currently our management station is using like three percent cpu so it's no problem but if you would log into this one for example let's log into the management station on secure crt so first of all well our management station is not doing anything but we only have one client so we don't really hammer it with logs and so on regarding disk space if i do like this clear def minus h for human readable so we see here that we have a log partition var slash log and we have 48 gigs available 48 gigs within a production environment is not a lot if i would talk about my own environment we log more than 48 gigs per day how long do you actually need to save your logs well i would say up to one year if you google how long does it actually take for a company to notice a breach within their computer systems the average time if i just check the first result on google is well 200 days so it's not enough to log 90 days i would say log one year then you're on the safe side you don't need to have all the logs on your management station or your log server you can ship it off to like a log storage so you can gsip the logs to save some space if you gzip the logs from checkpoint they will use about 10 percent of the space but keep in mind you cannot gzip everything you need to keep the first let's say 30 days on your management station so you can search it easy within the smart console normally when someone asks you for log files within a firewall either it's the last like 14 days or it's six months back and if someone is asking for log files six months back they don't expect you to be able to provide those within five minutes you can take some more time if someone is asking for log file the last day they will expect you to answer within five minutes so keep the newest logs where it's easier to search for them and that's the smart console within the checkpoint for the sharepoint firewall of course you can ship it to like a cm system so you have like centralized logging in like i don't know elk stack or whatever but just keep in mind try to save logs as long as possible it's not always possible to save the logs forever and ever there are rules and regulation on what you're allowed to save and how long but i would say one year is what you should save them okay so let's create a dedicated log server for this environment so we want to create a new virtual machine and this should be fairly similar to the existing management station and if i remember correctly we have something like four cpus we have eight gigs of memory 300 gigs of storage and it's in vm.6 so let's do something similar new virtual machine so let's do an advanced so we have workstation 15 and i just selected the image we were going to install it on r80 40. so it need to be the same version as your management station they will act together so to say so they need to be on the same version and hotfix and then next and we will select red hat enterprise linux 5 64 bits we will call it cp log and we will place this virtual machine um somewhere so we have the virtual machine name and we have the location and this is a nice ssd disk now so it's quite fast and then we pick i would say four no one core one processor and four cores and let's give it eight gigs of ram and um let's do this for now we will change this recommend that recommended and create the new virtual disk that's okay and let's do the disk to i think the other one was 300 gigs so let's just give this 300 gig as well it's a lab so it's okay within production i would say one terabyte or two terabytes for a log server and here we will do customize hardware because we need to add a nick so we will do a network adapter and we will connect it to vmnet6 and vmnet6 is the same network that our management station is on so close and i think that we are done now so just finish and let's power this one on so here we see if you haven't seen this i have made a different video where we do the installation if you want to see it a bit slower i will just go through this quite fast so install and as i said before i have an amd cpu so it will give some alerts within real production amd is not supported only intel cpus are supported within vmware it doesn't really matter but this is workstation so it's a bit different do you wish to install yes i want and swedish keyboard and here we have the root partition i normally take like 150 gigs we couldn't do that so let's do 100 and you see here we still have 50 gigs of logs keep in mind here you see that the backup and upgrades it takes a lot of disk space so what i normally do is i install something like this i don't pick one terabyte from start i do like 400 gigs or something and then after the installation i add an additional disk so i just give that additional disk to the logs partition so let's do okay and the password okay and we don't have dhcp and let's check what ipad says we should have so we should have 201 in the end 201 and default gateway is dot one and it's a slash 24 and we want to continue okay the installation is complete so far so just reboot the box all right and as you know if you log in here it will says that you need to configure the first time wizard with the web ui so we go to the windows 10 machine and we open up the web browser so https and then we go to the management station that we have not yet installed and proceed and this is the first time wizard so we see here that it's in vmware if it's an appliance or an open server and so on you will see it here next and we want to continue with an r8040 configuration we already set the interfaces and the default gateway and so on is correct then we want to put the host name so cp log and currently we don't have a domain we do have well we use google as dns server and then next normally you should use ntp this is a lab i don't have an ntp set up currently but i'm in stockholm or actually i'm in hamster but it's in sweden and this is in sweden and this is a security gateway or a secure management server yes and this is a management server and it's defined here this is a log server so first time we did install a primary management server but we are installing a dedicated log server so let's continue next and blah blah blah yeah so it's actually good to read this warning sign sometimes because here it actually says alert and it says that it's highly recommended to keep the settings enabled and you will notice later in the video why this is highly recommended to actually keep this enabled so don't do my mistake here just enable it and you will save let's say 30 minutes of work and we still use the gaia administrator we don't create a new one here and the gui well i like to lock this down and we need to create the sick key you can read about it here but more or less it's if you want to connect something to your existing environment you need to have a one-time password and this is the the sick i have a video about it i will link it in the description above somewhere here um because this one is used for connecting it and then it will generate the certificate and so on and the rest of the communication will be with the certificates so this one is only temporary and i have just put in checkpoint as my password here and that's why it's weak next and i don't send data to to checkpoint here finished yes and this will take a few minutes and when this is done we can connect it to the management station within the smart console all right so the first time we start is successful so press ok and let's check and add the latest hfa before we add it to the management station so we go down here and state this and hopefully it takes here after a while show all packages let's see check for update and we get an error why do we get an error let's see check for updates dns okay let's see that we have dns we have a dns and do we have a default gateway i think so yeah we have a default gateway so well let's log into it then and we do [Music] copy can you do that here copy paste properties and we change this to one and one and we call it cp lock and we change this one to cp management so we know watch what so the log accept and we have our account locked database override set expert password and expert netstat minus rn that's how you see the default gateways on ifconfig is how you see all the interfaces and let's do ping and we can ping so we actually have internet so let's see within the firewall do we permit https from this network so let's search 192.168.1.201 and we have a lot of google here do we not the traffic yes we do and we could surf so why is this not working maybe it just took some time to try a license cannot connect to the cloud let's see like this show all packages deployment version which one do we have 1848 cannot connect the checkpoint cloud administrative not authorized downloads for more information refer to this one okay let's check that one i actually not seen that one before support center well here it is and we do that sk let's see this one so here you have that part in the sk during introduction in the first time configuration we sat on gaia os you have the option to enable or disable automatic downloads of blade contract shakepoint releases hotfix via cpus so this is the reason why we're not able to download something from cpus it's fixable to do this but the issue is that the gateway or the management station need to be connected to the management station and our log service not yet connected to the management station and to connect it in a good way we need to have the same version so let's continue the video let's do an update to this one so we take this one last official build we download that one download and we put it in the download so it's soon done perfect and we go back to our windows 10 host we do install deployment agent dot one download this one install let's fix this one first so you just see that it's it's working correctly and in worst case we just import the package manually we can do that as well we don't need to troubleshoot too much this point is just to show you that we can uh installation successfully okay nice let's do like this so we have the new deployment agent and we still cannot the administrator did not authorize downloads do this one so we have web surfing and we hide it do we have any drops we don't have any drops well that's just strange but well let's fix this so we do import package because i think that we have the i think that we have the correct one already downloaded 67 is that correct let's check let's see what we have on that one i think we did upgrade it so here we have 77 so let's download 77 or 80 40 jumbo hotfix and we want to have 77 so this one and we take 77 what's that 77 okay let's see if we have that one done 77 this is general availability ga can we download that one 78 maybe down here no we need 77 let's update this one as well so we update that one install it's nice to have a lab so you can actually test stuff okay now this is uh fixed that's perfect now checking for uh new packages let's see if this one can find anything yeah it can find 78 so we do like this done we do download so we download this one in the give here and we download 78 manually so we do an upgrade in production maybe not so download and we take that one as well perfect and we go back here to this this one so it's downloading quite fast uh by the way if you if you need this one you can just export the package so we have the package here fairly soon so we will do it on our uh take 77 yes we have the same so i'm downloading it from the gateway and you just do more export packages and then you have the tar file so let's go back into this one and import package download and we have 77 here and we import it here so we can get the same version if we don't find it on checkpoints website so let's install this one uh quickly and then we just add it to the management station so we have it downloaded successfully that's perfect and hopefully we should be able to do we do a verifier first you'll see that that that doesn't work as well oh yeah it works oh i got scared so my buttons are disappearing but let's do install update and we are on the log server so let's install the update and after that we're going to uh connect to the management station hopefully this works this is a lab so it can fail i don't know i haven't done this before within this environment so you are the first same as me i have installed log servers before but not like this and in the meantime well we have 78 here perfect so this is ready to go as well but let's wait for this one all right so the system is rebooting so let's give it a few seconds and then it will be up and running again all right so the machine is up and running and it should be on hfa 77 let's see if it is and i do like this and yes it's on 77. all right so let's connect this to the management station so we have here gateways and servers and we don't see our log server here so let's create a log server and we do this one new and we are what are we shake point host and we call it cp log and we have an ip address of 192.168.1.201 and it's a management station and it's logging and status and it's an open server it's r840 and let's press here communication so here we do checkpoint initialize trust established close and let's see we need to press enable log index yeah that's good we need to have storage disk management we can do this one we only keep the index for 14 days and log files are kept well very long additional logging uh we don't forward we do create a new log file at midnight and well that's okay so press ok and did we get something here yeah here open server so let's do publish and what do we need to do more well we need to install the database so this one install database and we want to install the database on both the management station and the log server and the database is installed on the log server here as you see and it's installed on the management station as well okay so do we actually get any logs to the server well first of all you see here that we did do logs and we did enable logging that's really good but you see here there is no gateways configured to have this as a log server because there is nothing listed here storage we have some delete options and so on we have some additional things here like forward log files to log server well and we have this one this is really important to have or i think so at least because then it's a lot easier to to see the logs and if we check our old management station under logs storage let's see what says here that's uh okay but here we need to change this one to forward it to the cp log we need to do it at midnight and it should also create log files or it should create new log files every midnight so let's do and fix that first and publish and what do we need to do more well we need to change this firewall cluster so double click on the firewall cluster and we want to do the same here so logs currently we have it to send to the cpa management station well that we don't want now we have a dedicated log server so let's change this so minus on this one and we do a new one here so we send it to the cp log and if this one is not reachable well then we can send it to the cpu management station so now we have two targets and this one it forwards the logs to the cp log when it's back up so that's okay local log storage we still need to have that if both our management station and our log server is down and here we have created forward log files well that should be to the cp log and not to the management station and we create new log files every midnight so okay and let's publish these changes like this and install policy on everything so let's see what happens hopefully this works do you actually know where to find the log files i told you it's they have a specific partition and that's true but the log files is a bit tricky to find if you don't know about it so i will show you how to do it okay so we have it turned off that's strange maybe we didn't turn it off i don't remember so it's soon done but i think that we should just install the database on the cp log and uh management station as well just to make sure uh identity logging well that we should do but then we need the identity server and so on we don't have that right now okay so successful perfect let's just install the database and the reason why i do this is because we did do a lot of changes on both the management station and the cpa log the log server so to say so um in this case we just do it normally you don't need to install the database on everything after you have done a policy installation this is just because we did do a lot of changes so here we have our secure crt let's just verify that we actually have logs so if we here have here you see here log file has been switched okay that's nice uh let's see we don't have any logs now hmm why is that which log server do we have well we need to plot we need to press plus here did you see that we did only check this one not that one so press ok now we see logs again you see here if we remove that one enter we have no logs so this is the log server just make sure to click in this one and then you will see the logs perfect so where do you actually find the logs on the log server or the management server for that sake well let's log in to the management station and the log server so we do the cp log and we do expert and just check that we actually have a log partition here well df minus h so it looks the same so here's the var log so we can jump there cd bar log and if we do ls do we see something well i actually don't see any log files here so where is the log files well they are here so dollar fw dear log and here ls did you see that and did you notice something else all the log files has been transferred where are we well we are in the cp log machine so we did the go to this one cd dollar fw deer slash log slash and there we do an ls and here we have the log files and you see that we have per day and that's because the gateway did have so it should create a new log file per day is this from the gateway no this is from the cpa management from the gateway it will look like this so here we have the cpa management cp gateway one so it adds the host name to the log files so it's really easy to find it so this is the log files should we check if we have any on the management station of course let's check and we do to expert def minus h while we're using 3.9 gigs there so let's go there cd and then dollar fw dear log and if if you don't know about this f the dollar sign you can check the correct path like this so the log files are here under opt cpc r80 40 fw 501 log but this is a shortcut and this is a shortcut that you should be aware of so ls so here we don't have any log files anymore the log files was here before but they have been transferred here because today is october this box is installed two hours ago how can this have logs from august well that's because we have forwarded the logs to the log server so if we check top here on the log server we see that this is not using more or less anything if you have a lot more logs like bigger things then you will see some processes here like smart log and so on i don't see them here smart log it's not taking up anything log indexer you did see there log indexer this is normal for log server and that it's indexing the log files so cdfwdr ls and here you have the log files and if you want if you want to see all the logs files at once you can do ls minus l for list then you do the the path that you want to check in fwd log slash and you can do star dot log this is all the log files that you have on this management station do you see here so this ls space dash l for for list the deer and then we have a star and this is for anything and then you have dot log so it allows for any uh any name like this but it requires that it has dot log and it's in that specific folder thank you for sticking with me for the last arnold 35 minutes if you did thank you and i'm quite impressed that you actually stayed please let me know what you want to see next i'm open for suggestion and consider to subscribe to the channel if you haven't done that and i'd like to thank you for watching and i hope to see in the next one take care bye

Info

Channel: Magnus Holmberg

Views: 6,139

Rating: undefined out of 5

Keywords: ccsa, ccse, checkpoint, check point, cyber security, network, secuirty, firewall, checkpoint training, r80, r80.40, checkpoint firewall, checkpoint firewall training videos

Id: dq_hB2653I8

Channel Id: undefined

Length: 38min 9sec (2289 seconds)

Published: Sun Oct 04 2020