topic Re: Logs from 1530 to log server in Spark Firewall (SMB)

Logs from 1530 to log server

Marcus_Halmsjo — Tue, 19 Oct 2021 08:08:45 GMT

Hi,

We have started to use 1530 gates to connect our external sites and i am having problems getting the logs to log server and i can't seem to find the correct SK so i'll try asking here.

We have 5200 gates as hub and 1530 as spokes, SIC is established between 1530 and logs/managament and working.

Under "External Log Servers" on 1530 it says "The appliance is managed by Check Point SmartConsole. Security Log Servers are configured in SmartConsole.".

Under Logs->Log Servers on the gateway object for 1530 in management has the logserver specified.

I can't see anything in logs that indicate what can be why logs are not sent to log server, the 1530 logs fine locally.

grateful for any pointers.

Re: Logs from 1530 to log server

G_W_Albrecht — Tue, 19 Oct 2021 08:38:27 GMT

sk38848: Practical troubleshooting steps for logging issues

Re: Logs from 1530 to log server

Peter_Lyndley — Tue, 19 Oct 2021 08:51:33 GMT

a simple first step - try install database on your management server.

Re: Logs from 1530 to log server

Marcus_Halmsjo — Tue, 19 Oct 2021 09:12:29 GMT

tried installing database and restarts on both sides and no change found that connection on port 257 is stuck on SYN_SENT on the gateway will go from there.

Re: Logs from 1530 to log server

Ido_Shoshana — Tue, 19 Oct 2021 09:44:00 GMT

Hi,

I don't see anything special here that might go wrong.

It should simply work.

Maybe the install database wasn’t done? Can you install DB and let us know?

Re: Logs from 1530 to log server

Marcus_Halmsjo — Tue, 19 Oct 2021 09:59:39 GMT

tried installing DB no change

netstat -anp | grep -i -E "State|257" on the gate shows it is trying to connect to port 257 but what confuses me a bit is that it uses WAN adress as local for the gate and local adress as foreign to log server.

Everywhere i look on the 1530 gate it uses the WAN IP to the management but for the logs for some reason it uses the local IP.

Re: Logs from 1530 to log server

Marcus_Halmsjo — Tue, 19 Oct 2021 11:39:56 GMT

found that log connection worked up until i upgraded the firmware on the 1530 gate last week, did factory default and after new SIC and policy push the log connection works again and this time netstat -anp | grep -i -E "State|257" shows that it connects to the log server via the external IP and not the local IP.

Re: Logs from 1530 to log server

G_W_Albrecht — Tue, 19 Oct 2021 11:57:33 GMT

Looks like a NAT issue - was SIC established with NATed SMS IP ? See sk103215 and sk108707 for such issues.

Re: Logs from 1530 to log server

Marcus_Halmsjo — Tue, 19 Oct 2021 12:53:36 GMT

does not look like these SK applies to 1530 you can't change any IP manually in security management.

Looks like something is up with firmware R80.20.30 (992002285) as soon as i upgrade to that the gate uses local IP for log connection.

Re: Logs from 1530 to log server

Marcus_Halmsjo — Tue, 19 Oct 2021 13:06:30 GMT

Or not, it is the reboot, on SIC initialization it uses external IP for logs but after reboot it uses local IP and fails.

Re: Logs from 1530 to log server

G_W_Albrecht — Tue, 19 Oct 2021 13:56:30 GMT

Tried R80.20.35 yet ? Both cited SKs are for R77.20.xx SMBs, so they are also valid for 1530... Only that $FWDIR/conf/masters is not used anymore in R80.20.xx Another tipp is sk66381 !

Re: Logs from 1530 to log server

Marcus_Halmsjo — Tue, 19 Oct 2021 14:16:26 GMT

sk66381 showed something that i did not noticed that i should have seen earlier, when initializing SIC i left it on send logs according to policy. Re-initialized SIC now with send logs to same IP and now it does not change to local IP after reboot.

The SK for R77 pointed to how to change this after the fact but need to do that on initialization that confused me.

Thanks for all the pointers!

Re: Logs from 1530 to log server

tspunkt — Tue, 26 Oct 2021 09:19:48 GMT

hi. we had the same issue with a centrally managed 1500 and 1400 series gateway.

We fixed it by following steps:

connect to gateway via web ui
open Home > Security Management
on "Security Management Server" click "test connection"
After test click on the IP Address
in new window tick the checkbox "Alaways use the following IP address to connect to your Security Managament Server"
in Address there should be your management IP
then select "Send logs to" and also enter the management IP
click apply, maybe reboot.

Re: Logs from 1530 to log server

Marcus_Halmsjo — Tue, 26 Oct 2021 11:33:11 GMT

Nice info that option to change log IP was quite hidden good to know, we re-initialized SIC to change this in the wizard.