topic Re: Traffic Logs post-migration in Portal

Traffic Logs post-migration

wanartisan — Tue, 27 Aug 2024 10:21:19 GMT

Hi Checkmates,

My first post. Be gentle 😉

I inherited an R80.40 (Take 211) Cloudguard Network Security environment in Azure (HA deployment). We have migrated the management to Smart-1 Cloud as part of our DR improvement and upgrade project for this environment.

The migration went well (so management is now R81.20) but we now have no traffic logs. MaaS tunnel is up, we can push policy, but log server shows disconnected:

Log Servers Connections
---------------------------------------------------------
|IP |Status|Status Description |Sending Rate|
---------------------------------------------------------
|100.64.0.52| 1|Log-Server Disconnected| 0|
---------------------------------------------------------

[Expert@GW_1:]# cat /etc/fw/conf/masters
[Policy]
NAME
[Log]
NAME
[Alert]
NAME

(where NAME is the name of the management server object with standard IP of 100.64.0.52).

Does anyone know how to get the Log Server connected?

Thanks,

Re: Traffic Logs post-migration

_Val_ — Tue, 27 Aug 2024 10:20:57 GMT

Just a thought, try installing the database to all servers, and check if the log server's SIC is up

Re: Traffic Logs post-migration

wanartisan — Tue, 27 Aug 2024 10:31:58 GMT

I'm sure I did that. I was following sk38848. Also checked masters file is not immutable.

The log server is the Smart-1 Cloud so SIC is working.

None of the connectivity tests work from that sk. But there is a route

100.64.0.0 * 255.255.255.0 U 0 0 0 maas_tunnel

Re: Traffic Logs post-migration

AkosBakos — Tue, 27 Aug 2024 12:20:52 GMT

Hi @wanartisan

What does the #cpstat mg -f log_server say?

The main IP of the SmartCenter changed?

Last time, I ran into almost the same issue. In that scenario the SmartCenter was on-prem, and the GW-s were in Cloud, The GW-s send the logs to the wrong IP, the main IP of the smartCenter was unreachable for them. (because of routing and security issues)

We changed the LOG IP in masters file on the GWs, according to this articles:

https://support.checkpoint.com/results/sk/sk40090

https://support.checkpoint.com/results/sk/sk105280

and a few related articles:

https://support.checkpoint.com/results/sk/sk146112

https://support.checkpoint.com/results/sk/sk102712

I hope it helps,

Akos

Re: Traffic Logs post-migration

wanartisan — Tue, 27 Aug 2024 12:30:46 GMT

[Expert@GW1:0]# cpstat mg -f log_server
No product has flag 'mg'

Yes, the log server IP has changed to 100.64.0.52 which is the same IP Smart-1 Cloud always uses for the management object. In cplog_debug.elg you can see the migration script changes the IP

[9611 3981629376]fwd@GW1[Thu Aug 15 20:55:12 2024] ResetLogServers: The ip of [MGMT_NAME] was changed, the old ip is [OLD IP], the new ip is 100.64.0.52

The log also shows connectivity good to the old IP then connectivity failing to the new IP.

Re: Traffic Logs post-migration

AkosBakos — Tue, 27 Aug 2024 12:37:47 GMT

Hi @wanartisan

Sorry, de correct syntax for LOG servers is this: cpstat ls -f logging

Try to edit the MASTERS file, check this https://support.checkpoint.com/results/sk/sk105280

PART 2: Edit the $FWDIR/conf/masters file to contain the desired IP address of the Log Server

Cheers,

Akos

Re: Traffic Logs post-migration

wanartisan — Tue, 27 Aug 2024 12:47:31 GMT

[Expert@GW1:0]# cpstat ls -f logging
No product has flag 'ls'

If you see my output above for cat /etc/fw/conf/masters you should see that the log server is set to the management object and that management object has the new IP of 100.64.0.52.

Re: Traffic Logs post-migration

AkosBakos — Tue, 27 Aug 2024 14:05:45 GMT

Hi @wanartisan

In this case the NAME means de FQDN of the SmartCenter?
When I modified the masters file, i used IP insted of FQDN.

Akos

Re: Traffic Logs post-migration

wanartisan — Tue, 27 Aug 2024 14:48:43 GMT

Hi,

Yes NAME = the name of the object in SmartConsole (with IP 100.64.0.52).

I am a bit sceptical this change will help if the IP connectivity tests to the LogServer (Samrt-1 Cloud) aren't working.

Re: Traffic Logs post-migration

AkosBakos — Tue, 27 Aug 2024 14:53:04 GMT

Hi @wanartisan

Yes, first the connectivity.

Akos

Re: Traffic Logs post-migration

_Val_ — Wed, 28 Aug 2024 06:48:53 GMT

If connectivity does not work at all, that must be your clue. If you are still struggling with it, I suggest a TAC case.

Re: Traffic Logs post-migration

wanartisan — Mon, 16 Sep 2024 10:56:29 GMT

To close this off, Install Database did work. Not sure why it didn't the first time (I'm sure it was one of the first things I did...)