topic Re: Checkpoint Logging Issue in Firewall and Security Management

Checkpoint Logging Issue

dumbhead123 — Fri, 06 Aug 2021 13:38:52 GMT

Hi Team,

We have an ongoing issue where firewall randomly lose connectivity to the log server and starts logging locally.
For making missing logs viewable on the console follow below action:-
> Copy missing file (fw.log) and paste it on log server directory post renaming<missingfile1.log>
> run fw logrepair command, which re-creates all associated pointers and could view files on smart console file package.

The thing is that I would like to see these imported logs also with other logs in smart console, without the need of looking for a particular log package/file.

i.e imported logs should get index and we could see results running general query.
Can you please advise if there is such possibility to import missing logs from the gateways via CLI, so that they are visible together with other logs in SmartConsole?

Checkpoint OS R80.30, running recommended Take.

Re: Checkpoint Logging Issue

PhoneBoy — Fri, 06 Aug 2021 16:54:24 GMT

You can only index logs a number of days back.
You can’t, to my knowledge, index a specific log file.
See: https://community.checkpoint.com/t5/Management/SmartLog-only-look-back-14-days-how-to-reindex-90-days-back/td-p/23280

Re: Checkpoint Logging Issue

the_rock — Fri, 06 Aug 2021 18:11:19 GMT

There is a trick I learned with logging issues that worked every single time I tried it...so this is what you do:

-in dashboard, create new CP host (NOT regular host), but under new -> network object -> gateways and servers -> Check Point host

-give it SAME ip address as your actual management and under management tab, ONLY select logs and servers

-once you save this object, publish changes and install database on actual management

-after this, go to your firewall object, and under logs, you should see an option to add this new object you created, just add it and remove existing management object and push policy

Now, here is the trick...if this works, then I would say maybe leave it like that over the weekend or few days and see what results are. If you see all works fine, then you can remove that object from log section on the gateway and add back regulat mgmt server. I really cant guarantee you 100% it will work, but I must have tried this more than 30 times in the past with people and worked every single time, never failed.

Re: Checkpoint Logging Issue

Amir_Senn — Sun, 08 Aug 2021 07:52:24 GMT

The best way to this is to use the "Log Forwarding Settings". In the SmartConsole you can define to which log server and when does it occur. You can set a specific time for log forwarding or every few hours.

SmartConsole -> Gateways & Servers view -> select your GW (double click) -> Logs -> Additional Logging.

In there you'll find the settings.

By using this the gateway will forward all the logs to the log server and the logs will be indexed as defined by that log server (if you run in index mode then configuring log forwarding will ensure all of them will be indexed).

Re: Checkpoint Logging Issue

Tomer_Noy — Mon, 09 Aug 2021 05:25:30 GMT

Thanks @Amir_Senn !

It's important to emphasize that this setting is indeed recommended and will not duplicate your logs. When it's configured on the gateway/cluster, only logs that were written locally will be forwarded to the log server.

The reason that we have a timeframe is that local logs might accumulate to large numbers in case of disconnections or peaks. Some customers want to make sure that the logs will be uploaded in off-hours.

** We're also looking at ways to make this (or similar behavior) on-by-default for future versions. That way customers won't forget to configure it.