This website uses Cookies. Click Accept to agree to our website's cookie use as described in our Privacy Policy. Click Preferences to customize your cookie settings.
Accept
Reject
Preferences
ABOUT CHECKMATES CYBER SECURITY COMMUNITY & FAQ
Create a Post
Help
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

Are you a member of CheckMates?

×
Sign in with your Check Point UserCenter/PartnerMap account to access more great content and get a chance to win some Apple AirPods! If you don't have an account, create one now for free!
Ruud
Explorer
yesterday

Logging of FW rules on newly created VSX vFW no thowing up in central logging in Smart console

 

I recently created a new virtual FW on our VSX cluster. I connected it to our virtual core fw on the same vsx system via a vSwitch.

After setting up the basic rules etc. everything seems to be functional. 

However, for some reason i cannot find, the logging of the new vFW does not show up in Smart console. I can see sessions going to/through the new fw in the logs of other firewalls that handled the streams, but none from the new vFW itself ??

I checked the log configuration of the new  vFW with those on the existing vFW and they are exactly the same.

 

If needed : All of our firewalls, the management server and smart console programm are fully up to date running r81.20.

 

What am i missing here  ?

 

0 Kudos
3 Replies
_Val_
Admin
Admin
7 hours ago

Before anything else, please perform "Install database" on your log server and check again.

0 Kudos
the_rock
Legend
Legend
6 hours ago

I would definitely go through steps in below sk, just to make sure everything checks out.

One easy way I sometimes find how to correct this is to simply run fw logswitch on the gateway, ie rotate existing log file and start new one. Does not always work, but worth a try.

Andy

https://support.checkpoint.com/results/sk/sk40090

0 Kudos
the_rock
Legend
Legend
6 hours ago

Example from my lab. .249 is one of the gateways and .252 is mgmt.

Andy

 

[Expert@CP-MANAGEMENT:0]# tcpdump -n -i eth0 host 172.16.10.249 and tcp port 257
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on eth0, link-type EN10MB (Ethernet), capture size 262144 bytes
08:48:32.572249 IP 172.16.10.249.53113 > 172.16.10.252.set: Flags [P.], seq 2780509983:2780510905, ack 664294655, win 42, options [nop,nop,TS val 672829816 ecr 672806427], length 922
08:48:32.572277 IP 172.16.10.252.set > 172.16.10.249.53113: Flags [.], ack 922, win 174, options [nop,nop,TS val 672834287 ecr 672829816], length 0
08:48:34.717209 IP 172.16.10.249.53113 > 172.16.10.252.set: Flags [P.], seq 922:1244, ack 1, win 42, options [nop,nop,TS val 672831961 ecr 672834287], length 322
08:48:34.717258 IP 172.16.10.252.set > 172.16.10.249.53113: Flags [.], ack 1244, win 174, options [nop,nop,TS val 672836432 ecr 672831961], length 0
08:48:40.719058 IP 172.16.10.249.53113 > 172.16.10.252.set: Flags [P.], seq 1244:1566, ack 1, win 42, options [nop,nop,TS val 672837963 ecr 672836432], length 322
08:48:40.719089 IP 172.16.10.252.set > 172.16.10.249.53113: Flags [.], ack 1566, win 174, options [nop,nop,TS val 672842434 ecr 672837963], length 0
08:48:42.719061 IP 172.16.10.249.53113 > 172.16.10.252.set: Flags [P.], seq 1566:1704, ack 1, win 42, options [nop,nop,TS val 672839963 ecr 672842434], length 138
08:48:42.719091 IP 172.16.10.252.set > 172.16.10.249.53113: Flags [.], ack 1704, win 174, options [nop,nop,TS val 672844434 ecr 672839963], length 0
^C
8 packets captured
8 packets received by filter
0 packets dropped by kernel
[Expert@CP-MANAGEMENT:0]#

0 Kudos

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

View All ≫
Upcoming Events

    CheckMates Events