topic Check which gateways are logging in Firewall and Security Management

Check which gateways are logging

Ryan_Ryan — Wed, 16 Dec 2020 04:31:50 GMT

Hi,

I have noticed some of my gateways don't appear to be logging traffic, This am am certain was working for all gateways previously. We have 45 gateway son the management server so I would ideally like a command I can run on the log sever to see which are established so I can work through backwards.

we have 24 cloudguard gateways in hypervisor mode and it seems to be some of them that aren't working, So I cannot easily tell which ones aren't not logging, but I just know when I should be seeing traffic and I am not. The log server has plenty of disk space.

thanks

Re: Check which gateways are logging

PhoneBoy — Wed, 16 Dec 2020 04:48:09 GMT

netstat -an should show active TCP connections with gateways that are logging.

Re: Check which gateways are logging

Ryan_Ryan — Wed, 16 Dec 2020 04:54:55 GMT

I did some further testing and found a specific gateway that is not logging, I have an snmp alarm on that device: A "chkpntTrapOverallLSConnState" event has occurred, from CheckpointFirewall device, Security Gateway is unable to report logs to any log server fwLocalLoggingDesc = Writing logs locally due to connectivity problems fwLocalLoggingStat = 2

I can ping the log server from this gateway, and the fw.log file is not increasing either, just did an install database on the all the management servers, and a cpstart on the gateway really weird. Ive run through sk40090 without any luck either. Looks like I have 3 gateways that all stopped logging at the exact same time. netstat -an doesn't show a connection to log server

Re: Check which gateways are logging

PhoneBoy — Wed, 16 Dec 2020 07:04:49 GMT

Don’t know that you need to delete logtrack but restarting fwd can’t hurt.
See: https://supportcenter.checkpoint.com/supportcenter/portal?eventSubmit_doGoviewsolutiondetails=&solutionid=sk170331&partition=Advanced&product=Security

Re: Check which gateways are logging

Ryan_Ryan — Thu, 17 Dec 2020 03:27:57 GMT

Yes I think you are right, does restarting FWD have any service impact?

I saw this in the logs which looks very similar to sk118936

-[17 Dec 15:55:49] connect_to_local_server: connected to local server successfuly
-[17 Dec 15:55:49] ....<-- connect_to_local_server
-[17 Dec 15:55:49] ...<-- connect_to_server
-[17 Dec 15:55:49] create_default_log: connected to default log server
-[17 Dec 15:55:49] ...--> disconnect_from_server
-[17 Dec 15:55:49] disconnect_from_server: default still backups other servers, don't disconnect
-[17 Dec 15:55:49] ...<-- disconnect_from_server
-[17 Dec 15:55:49] create_default_log: disconnected from default log server
-[17 Dec 15:55:49] ..<-- create_default_log
-[17 Dec 15:55:49] .<-- logbuf_write
-[17 Dec 15:55:49] .--> log_has_connected_server
-[17 Dec 15:55:49] .<-- log_has_connected_server
-[17 Dec 15:55:49] log_add_e__logclient: writes logs to local disk because overflow
-[17 Dec 15:55:49] log_add_e__logclient: 192.168.10.10 - no log is sent now
-[17 Dec 15:55:49] log_add_e__logclient: waiting for connecting callback (log_connected) to be read
-[17 Dec 15:55:49] log_add_e__logclient: Write locally ! log record number = 5342
-[17 Dec 15:55:49] .--> log_local_write
-[17 Dec 15:55:49] .<-- log_local_write
-[17 Dec 15:55:49] <-- log_add_e__logclient

Re: Check which gateways are logging

PhoneBoy — Thu, 17 Dec 2020 04:11:24 GMT

I don’t believe so but the sk suggests doing during a maintenance window.

Re: Check which gateways are logging

Ryan_Ryan — Fri, 18 Dec 2020 02:35:36 GMT

found another solution, removing the log server from the gateway, push policy and add it back has got he log connection back up and working now.