This website uses Cookies. Click Accept to agree to our website's cookie use as described in our Privacy Policy. Click Preferences to customize your cookie settings.
Accept
Reject
Preferences
ABOUT CHECKMATES CYBER SECURITY COMMUNITY & FAQ
Create a Post
Help
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

Are you a member of CheckMates?

×
Sign in with your Check Point UserCenter/PartnerMap account to access more great content and get a chance to win some Apple AirPods! If you don't have an account, create one now for free!
saitoh
Advisor
‎2026-02-26 10:31 PM
Jump to solution

enable local log storing on cluster

Hi all,

 

GW: R81.20

SMS: R81.20, will be upgraded to R82

 

The management server upgrade is planned, and I would like to make sure no log lost during upgrade.

The cluster is configured to send its log to management server.

I know a gateway stores its log temporarily in case of no connection to a associated management server, but I would rather configure the gateway to do so just to make sure.

 

My rough draft of plan is:

1. configure GWs to store its log on themselves

2. upgrade management server.

3. check SIC status.

4. FTP locally stored logs from gateways to management server /var/log/.

5.chmod and chown log files, giving them same permission and owner.

6. cpstop/start to make sure management server recognize log files.

 

Do you reckon this is achievable?

not sure just putting logs to /var/log/ is enough or not..

 

Saitoh

sliver bullet: casting repero or tossing it into the harbor
0 Kudos
2 Solutions

Accepted Solutions
emmap
MVP Gold CHKP MVP Gold CHKP
MVP Gold CHKP
‎2026-02-27 01:15 AM
Jump to solution

The gateway will store logs locally while the management server is not available, this is something you can rely upon. If you want though you can manually enable it for the duration.

To have locally stored the logs transfer over to the management server, open your gateway properties, expand out Logging, and go to Additional Logging Configuration. At the top of that pane you have Log Forwarding Settings. Enable this to forward logs to your management server at Midnight. This way, at midnight every day, any logs stored on the gateway will be transferred over to the management server and removed off the gateway, saving disk space on the gateway and keeping all your logs in the same place. No need to worry about manually copying files or setting permissions or any of that.

View solution in original post

(1)
Lesley
MVP Gold
MVP Gold
‎2026-02-27 05:18 AM
Jump to solution

Hi,

This should not be needed to do before mgmt upgrade. Just make sure before upgrade you check the disk space on the firewall itself. If there is enough space in /var/log you should be OK. 

On the mgmt check the dir where the logs are located, see how much GB logs are created per day. For example if there are 10 logs files , 2 GB each for 1 day you need 20GB free on the firewall itself if your mgmt will be 24 hours down. 

-------
Please press "Accept as Solution" if my post solved it 🙂

View solution in original post

(1)
9 Replies
emmap
MVP Gold CHKP MVP Gold CHKP
MVP Gold CHKP
‎2026-02-27 01:15 AM
Jump to solution

The gateway will store logs locally while the management server is not available, this is something you can rely upon. If you want though you can manually enable it for the duration.

To have locally stored the logs transfer over to the management server, open your gateway properties, expand out Logging, and go to Additional Logging Configuration. At the top of that pane you have Log Forwarding Settings. Enable this to forward logs to your management server at Midnight. This way, at midnight every day, any logs stored on the gateway will be transferred over to the management server and removed off the gateway, saving disk space on the gateway and keeping all your logs in the same place. No need to worry about manually copying files or setting permissions or any of that.

(1)
saitoh
Advisor
‎2026-03-02 08:45 PM
In response to emmap
Jump to solution

Hi @emmap ,

 

Thanks for sharing information.

I was not sure local logging is reliable or not, but your comment made me believe I can rely on it.

I think it is not common sight to stop log forwarding to management server. Our customer wants to do so.

E/U often makes a request that does not make sense. 😞

 

One thing, is locally stored log sent to management server without any manual operation, after the connection is restored?

sliver bullet: casting repero or tossing it into the harbor
0 Kudos
emmap
MVP Gold CHKP MVP Gold CHKP
MVP Gold CHKP
‎2026-03-02 10:41 PM
In response to saitoh
Jump to solution

Locally stored logs are not automatically sent to the management server unless you configured Log Forwarding on the gateway/cluster object how I described in the earlier post, unless this is a newly setup system running R82.10, when it is enabled by default.

(1)
saitoh
Advisor
‎2026-03-03 12:34 AM
In response to emmap
Jump to solution

Hi @emmap ,

I have learnt it, appreciated!

Now I am really curious about:

Does log forwarding automatically resume right after a management server become available?

How often does the cluster tries resuming log forward to management server while local logging?

If log forwarding goes well when local logging working, does the gateway switch log?

 

I will investigate the points above in my lab. Thanks again!

sliver bullet: casting repero or tossing it into the harbor
0 Kudos
emmap
MVP Gold CHKP MVP Gold CHKP
MVP Gold CHKP
‎2026-03-03 05:36 PM
In response to saitoh
Jump to solution

There's two things at play here, regular logging to the log targets, and the log forwarding configuration.

Regular logging will resume when the management server becomes available again after the upgrade The gateway will regularly retry this connection. From this point, the gateway will send new logs to the management server.

Log Forwarding occurs at the regular time interval that you configure, the default in R82.10 is at midnight every day. This means that any logs that were stored locally while the gateway was unable to talk to the log server will be transferred over at midnight daily. 

(1)
Lesley
MVP Gold
MVP Gold
‎2026-02-27 05:18 AM
Jump to solution

Hi,

This should not be needed to do before mgmt upgrade. Just make sure before upgrade you check the disk space on the firewall itself. If there is enough space in /var/log you should be OK. 

On the mgmt check the dir where the logs are located, see how much GB logs are created per day. For example if there are 10 logs files , 2 GB each for 1 day you need 20GB free on the firewall itself if your mgmt will be 24 hours down. 

-------
Please press "Accept as Solution" if my post solved it 🙂
(1)
saitoh
Advisor
‎2026-03-02 08:46 PM
In response to Lesley
Jump to solution

Hi @Lesley ,

 

Appreciated to your comment.

The concrete idea of storage space really helps me a lot. Thank you!

sliver bullet: casting repero or tossing it into the harbor
0 Kudos
the_rock
MVP Diamond
MVP Diamond
‎2026-03-03 05:53 PM
In response to saitoh
Jump to solution

Hey Saitoh,

What Lesley and Emma said is totally logical and actually fact as well. 

Best,
Andy
"Have a great day and if its not, change it"
(1)
saitoh
Advisor
‎2026-03-16 07:12 PM
Jump to solution

I have been testing local logging feature, but fw.log will not grow in its size while cpstat fw -f log_connection says the cluster members are saving logs locally due to connectivity problem as follows:

# watch -d -n 10 "cpstat fw -f log_connection"

Every 10.0s: cpstat fw -f log_connection Mon Mar 16 21:21:16 2026


Overall Status: 2
Overall Status Description: Security Gateway is unable to report logs to any
log server
Local Logging Mode Description: Writing logs locally due to connectivity problem
s
Local Logging Mode Status: 2
Local Logging Sending Rate: 0
Log Handling Rate: 0


Log Servers Connections
----------------------------------------------------------
|IP |Status|Status Description |Sending Rate|
----------------------------------------------------------
|10.xxx.x.xxx| 1|Log-Server Disconnected| 0|
----------------------------------------------------------

 

The target management server has been cpstopped so log server disconnected is an expected output.

I confirmed the value of Local Logging Sending Rate etc. gets updated according to the connection as expected.

However, access control/audit log files in the directory $FWDIR/log/, including rotated logs, seemingly get no updates:

-rw-rw---- 1 admin root 8384 Mar 17 00:00 fw.log
-rw-rw---- 1 admin root 80 Mar 17 00:00 fw.logaccount_ptr
-rw-rw---- 1 admin root 80 Mar 17 00:00 fw.loginitial_ptr
-rw-rw---- 1 admin root 80 Mar 17 00:00 fw.logptr
-rw-rw---- 1 admin root 1526 Mar 17 00:00 fw.logtrack

 

Some sks tells me that a gateway tries to write logs for every 5 -10 seconds, so I did not expect the modification time of log file to be 00:00.

Is this normal behaviour?

sliver bullet: casting repero or tossing it into the harbor
0 Kudos

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

View All ≫
Upcoming Events

    Sort by:
    CheckMates Events