iLA fail to log NATted firewall IP

InControl Discussions
Post Reply
nazimshah
Posts: 12
Joined: 16 Jul 2010, 06:17

iLA fail to log NATted firewall IP

Post by nazimshah » 06 Nov 2012, 10:14

We have multiple VSG and W5 as our internal firewall at our HQ and branches. NAT is done at router or load balancer at the edge.

We are trying to manage all the firewall over Internet without depending on VPN. We have assign specific public IP NATted to the firewall. Using InControl to manage, we have no issue at all. All the firewall is manageable via the given NATted public IP.

When we configure iLA to grab the logs via the NATted public IP, no traffic is captured. But when we use VPN and configure iLA to grab the logs, it can capture all the traffic.

We suspect iLA can only capture traffic from firewall true IP and cannot do so for NATted IP.

Is this a bug or this is by design.

Peter
Posts: 617
Joined: 10 Apr 2008, 14:14
Location: Clavister HQ - Örnsköldsvik

Re: iLA fail to log NATted firewall IP

Post by Peter » 07 Nov 2012, 11:58

Hello.

Basically the ILA will only accept logs from IP address specified in the ILA configuration file.

The IP address of the SGW you can specify to be the NAT IP in the ILA configuration in InControl. The ILA does not really care about the original IP of the SGW, only the source IP the logs are coming from. If the source IP is not the one specified in the configuration file, it will ignore them.

Best regards
/Peter

nazimshah
Posts: 12
Joined: 16 Jul 2010, 06:17

Re: iLA fail to log NATted firewall IP

Post by nazimshah » 08 Nov 2012, 11:20

Thanks Peter.

Sorry but it doesn't work as you explained.

SGW IP = 10.1.1.254
SGW NAT IP = 221.xxx.xxx.137
Registered IP in InControl and iLA = 221.xxx.xxx.137

Windows firewall log on InControl & iLA server:
2/11/2012 11:19:13 ALLOW UDP 221.xxx.xxx.137 192.168.1.109 999 999 0 RECEIVE
2/11/2012 11:24:15 ALLOW UDP 221.xxx.xxx.137 192.168.1.109 999 999 0 RECEIVE
2/11/2012 11:32:22 ALLOW UDP 221.xxx.xxx.137 192.168.1.109 999 999 0 RECEIVE
2/11/2012 12:58:48 ALLOW UDP 221.xxx.xxx.137 192.168.1.109 999 999 0 RECEIVE
2/11/2012 13:05:55 ALLOW UDP 221.xxx.xxx.137 192.168.1.109 999 999 0 RECEIVE
2/11/2012 13:09:39 ALLOW UDP 221.xxx.xxx.137 192.168.1.109 999 999 0 RECEIVE
2/11/2012 13:22:16 ALLOW UDP 221.xxx.xxx.137 192.168.1.109 999 999 0 RECEIVE
2/11/2012 13:49:10 ALLOW UDP 221.xxx.xxx.137 192.168.1.109 999 999 0 RECEIVE
2/11/2012 15:40:40 ALLOW UDP 221.xxx.xxx.137 192.168.1.109 999 999 0 RECEIVE
2/11/2012 16:42:58 ALLOW UDP 221.xxx.xxx.137 192.168.1.109 999 999 0 RECEIVE

Although the server receive it, but we got nothing in iLA

Peter
Posts: 617
Joined: 10 Apr 2008, 14:14
Location: Clavister HQ - Örnsköldsvik

Re: iLA fail to log NATted firewall IP

Post by Peter » 28 Nov 2012, 10:09

Hello.

Sorry for not replying sooner, i did some initial tests on this and could not get it to work either. I do not know if i made a mistake in my setup or otherwise, i am unable to pursue this further at this time.

I hope to be able to dig into it further at a later stage though.

Best regards
/Peter

nazimshah
Posts: 12
Joined: 16 Jul 2010, 06:17

Re: iLA fail to log NATted firewall IP

Post by nazimshah » 08 Feb 2013, 02:09

Peter,

Any outcome on this?

Peter
Posts: 617
Joined: 10 Apr 2008, 14:14
Location: Clavister HQ - Örnsköldsvik

Re: iLA fail to log NATted firewall IP

Post by Peter » 30 May 2013, 11:40

Hello.

Sorry for the delay, always something that gets in the way :ugeek:

To make a long story short, NAT'ed logs will not be accepted by the ILA. The reason for this is due to a check that is done regarding the IP the logs are created from and the source IP of the received logs. If there is a mismatch here, the ILA will reject the log packets.

I have created an RFE (request for enhancement) towards the developers that there should be an option in the ILA regarding the expected source IP of the logs in order to get the ILA to accept the "mismatching" logs.

The developer ID is ICC-5130.

So for now, your only alternative is to try get the logs to the ILA without any address translations being performed.

Best regards
/Peter

ansj
Posts: 13
Joined: 15 Jul 2016, 08:53

Re: iLA fail to log NATted firewall IP

Post by ansj » 25 May 2018, 07:04

I just wanted to notify that this can now be accomplished with InControl version 1.70 and up by using the Reverse Netcon Feature/Setting the Connection setting of the firewall to Device Initiated.

InControl will then look at the Management ID of the Firewall instead of the source IP used to send the logs, meaning NAT is no longer a problem.

/André

serferHar
Posts: 3
Joined: 18 Sep 2018, 15:42
Location: Czech
Contact:

iLA fail to log NATted firewall IP

Post by serferHar » 22 Sep 2018, 10:47

Considering that for about the same price as a software firewall, you could get basically ANY router, which generally has a firewall, or the capabilities to do so, wouldnt it be easier to just get hardware?

Post Reply