Traffic is not visible on management.

RemoteUser

Hi Mates.

The customer pointed out something unusual:

We can see traffic on the firewall via tcpdump, but no corresponding logs appear in SmartConsole (management).

Additional, the latest logs available in date back to a week ago, although traffic is clearly flowing through the firewall.

Do you have any ideas on what could be causing this behavior on S1C R82?

Thanks,

the_rock

Hey brother,

Just to confirm, have them verify fw is not logging locally

Have them run this on the gateway from expert -> ls -lh $FWDIR/log/fw.log

If it shows anything other than 8.2 K, it might be logging locally to itself. Or ask them to run watch -d in front that command for 2-3 mins and see if size is growing.

Andy

RemoteUser

Checked bro seem's fine:
-rw-rw---- 1 admin root 8.2K Oct 1 00:00 /opt/CPsuite-R81.20/fw1/log/fw.log

the_rock

Hm...thats odd, makes me wonder if it could be something S1C related. I know one time, while back, I was working with customer and there was some strange issue in the portal, then we tried another browser and was fine.

Can they try that, just to make sure?

Andy

the_rock

Hey brother,

Can you check with the customer please what are the last logs they see in the portal? What exact date?

Andy

PhoneBoy

Is it an existing connection (long standing, even) or a new connection?
Because the log entry will show when the connection is initially established and, with appropriate policy/log settings, update every 10 minutes or so with statistics.

Of course, if you're not seeing ANY logs, that's a different issue, and yes, you should check if you're logging locally.
cpstat fw -f log_connection from expert mode is another way to do that.

See also: https://support.checkpoint.com/results/sk/sk170331
Restarting fwd is probably all you need to do here.

RemoteUser

It's an existing connection

emmap

On top of the other suggestions here, make sure the date / time / time zone are correct. The logs come in with a timestamp from the gateway, so if the gateway thinks it's last week then all the logs will be from last week too.

the_rock

Excellent point, Emma.

Andy

RemoteUser

yes it's correct

Timothy_Hall

A couple of things:

1) Depending on the type of policy layer, if "Connection Logging" is not set for the rule matching the traffic, each individual connection will not get its own log every time. A series of related connections will be "rolled up" into a single log entry by Session Logging, with only a counter being incremented in the existing log for additional related connections. Note that Threat Prevention has its own separate log suppression mechanism. For more information about all this, see here: Max Gander: The Hidden World of Log Generation and Log Suppression at Check Point

2) It is possible that you have an indexer database issue that is keeping you from seeing the proper logs in searches, but they do actually exist in the raw log files on the SMS/Log Server, if you look directly at them without indexing. This problematic behavior became much less likely when the log indexer mechanism was reworked around R81 or so. Try disabling indexing on your SMS/Log Server, but only do this to confirm that an indexer issue is present, as doing this will make log searching very slow.

Alternatively, you can try opening the current fw.log file directly from the Logs & Monitor tab of SmartConsole to verify that the logs are really there. To do this, select the "hamburger" menu on the far right and then select File...Open Log File.

Gaia 4.18 (R82) Immersion Tips, Tricks, & Best Practices Video Course
Now Available at https://shadowpeak.com/gaia4-18-immersion-course

the_rock

All super valid points, Tim.

the_rock

Hey brother, did you end up fixing this?

Best,

Andy

Blason_R

Also did you capture the packets on management server on port 257? That would show if the connection at least established and firewall is sending the logs to management server on port 257

Thanks and Regards,
Blason R
CCSA,CCSE,CCCS

RemoteUser

port 257 it's estabilshed i'm working with tac, it is sip traffic btw

the_rock

Hey bro,

ONLY sip does not get logged, all else does?

Andy

RemoteUser

yes

the_rock

Silly ?, but do they have logging enabled for that rule?

Andy

RemoteUser

yes the rule it's the log per connection

the_rock

Mind sending screenshot? Please blur out any sensitive data.

Andy

RemoteUser

Of what? the rule is:
SRC: Network Group to DST: Network Group service any log (per connection)

the_rock

can you send the actual screenshot?

RemoteUser

the_rock

K, thank you! Looks right...can you see if you hover over hits column when last hit was? Anything changed since then? Can you try disable the rule, install policy, re-enable and install again?

Best,

Andy

RemoteUser

hi bro
note also that i've tried to put a rule above this one with specific host involved and the rule seem's not matched

the_rock

I would try do remote with TAC buddy to see if it can be solved. Not sure at this point why it would stop logging out of the blue. I mean, one way to confirm would be to revert revision from the time it worked, but if there lots of changes since then, it would be risky.

Andy

Timothy_Hall

Sure sounds like an indexer issue to me not properly indexing SIP logs which is why you can't see them, but they are actually there. Have seen this before with VPN logs where all logs from all gateways were visible...except for VPN logs. Turn off indexing, and BAM there they are. It is possible that the gateway is not generating just the SIP logs at all, but I'd say that is less likely than an indexer issue.

Gaia 4.18 (R82) Immersion Tips, Tricks, & Best Practices Video Course
Now Available at https://shadowpeak.com/gaia4-18-immersion-course

RemoteUser

Hi Tim, How can i do that? (turn off index)

the_rock

Hey bro,

I believe you can do this even from smart console object, I will attach screenshot later.

Andy

the_rock

If this is S1C, TAC may need to do it.

Andy

Are you a member of CheckMates?

Traffic is not visible on management.