This website uses Cookies. Click Accept to agree to our website's cookie use as described in our Privacy Policy. Click Preferences to customize your cookie settings.
Accept
Reject
Preferences
ABOUT CHECKMATES CYBER SECURITY COMMUNITY & FAQ
Create a Post
Help
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

Are you a member of CheckMates?

×
Sign in with your Check Point UserCenter/PartnerMap account to access more great content and get a chance to win some Apple AirPods! If you don't have an account, create one now for free!
RemoteUser
Advisor
3 weeks ago
Jump to solution

fw.log it's up to 8.2k

What's mean?
Why it's not 8.2k?

ls -lh $FWDIR/log/fw.log
-rw-rw---- 1 admin root 1.1G Oct 15 09:40 /opt/CPsuite-R81.20/fw1/log/fw.log

0 Kudos
5 Solutions

Accepted Solutions
Bob_Zimmerman
MVP Gold
MVP Gold
3 weeks ago
Jump to solution

It means the system is logging locally. This is normal for a log server. If the system is a firewall, it generally means it can't talk to its configured log servers.

View solution in original post

the_rock
MVP Platinum
MVP Platinum
3 weeks ago
In response to RemoteUser
Jump to solution

Just do cprestart, easiest way to fix it, since its a cluster. 

Best,
Andy

View solution in original post

0 Kudos
the_rock
MVP Platinum
MVP Platinum
3 weeks ago
In response to RemoteUser
Jump to solution

Or even better, just restart fwd process, since thats responsible for logging.

Andy

Best,
Andy

View solution in original post

0 Kudos
the_rock
MVP Platinum
MVP Platinum
3 weeks ago
In response to the_rock
Jump to solution

Here are the steps:

  1. Log in to Expert mode: Connect to the command line and log in to Expert mode.
  2. Stop the FWD daemon: Run cpwd_admin stop -name FWD.
  3. Start the FWD daemon: Run cpwd_admin start -name FWD to restart i

Andy

Best,
Andy

View solution in original post

0 Kudos
Duane_Toler
MVP Silver
MVP Silver
3 weeks ago
Jump to solution

On the cluster gateway, you can run this command to see if it's connected to the management server (or log server, whichever is appropriate for you):

cpstat -f log_connection fw

If the log server is not reporting "Connected", then you may need to do some troubleshooting to learn why.

You can see what logging connections are attempted, by running this "netstat" command:

netstat -anp |grep ':257'

This will tell you what remote IP the gateway is attempting to reach.  If you see "ESTABLISHED", then the gateway is connected to a log server of some kind.  If you see anything else, then you have some kind of network issue.

Look at the "masters" file to see if there is some error or other issue:

ls -l $FWDIR/conf/masters
lsattr $FWDIR/conf/masters
cat $FWDIR/conf/masters

 If you see  "----i----------- /etc/fw/conf/masters" in the output of the second command, that means your file is read-only and it cannot be updated each time you do a policy install.  You often need this if your management server is hosted behind a NAT gateway, such as a CloudGuard management host.

If the output of the 3rd command looks wrong, then you need to learn why.

 

--
Ansible for Check Point APIs series: https://www.youtube.com/@EdgeCaseScenario and Substack

View solution in original post

14 Replies
the_rock
MVP Platinum
MVP Platinum
3 weeks ago
Jump to solution

It means its logging locally, my friend.

Andy

Best,
Andy
0 Kudos
RemoteUser
Advisor
3 weeks ago
In response to the_rock
Jump to solution

there is a documentation about that? because  i don't see anything related

 

0 Kudos
Bob_Zimmerman
MVP Gold
MVP Gold
3 weeks ago
Jump to solution

It means the system is logging locally. This is normal for a log server. If the system is a firewall, it generally means it can't talk to its configured log servers.

RemoteUser
Advisor
3 weeks ago
In response to Bob_Zimmerman
Jump to solution

this is the output form a one member of ha cluster

0 Kudos
the_rock
MVP Platinum
MVP Platinum
3 weeks ago
In response to RemoteUser
Jump to solution

Just do cprestart, easiest way to fix it, since its a cluster. 

Best,
Andy
0 Kudos
the_rock
MVP Platinum
MVP Platinum
3 weeks ago
In response to RemoteUser
Jump to solution

Or even better, just restart fwd process, since thats responsible for logging.

Andy

Best,
Andy
0 Kudos
RemoteUser
Advisor
3 weeks ago
In response to the_rock
Jump to solution

ok brother thanks, but why 8.2k? so if a gateway have 8.2k+ means that doesn't send log to mgmt?

0 Kudos
the_rock
MVP Platinum
MVP Platinum
3 weeks ago
In response to RemoteUser
Jump to solution

Thats "magic" number buddy, been like that since R55 or before lol. Point is, it could be 82M, as long as number does NOT go up, thats the key.

It means exactly what you said, not sending to mgmt, its logging locally.

Andy

Best,
Andy
0 Kudos
the_rock
MVP Platinum
MVP Platinum
3 weeks ago
In response to the_rock
Jump to solution

Here are the steps:

  1. Log in to Expert mode: Connect to the command line and log in to Expert mode.
  2. Stop the FWD daemon: Run cpwd_admin stop -name FWD.
  3. Start the FWD daemon: Run cpwd_admin start -name FWD to restart i

Andy

Best,
Andy
0 Kudos
the_rock
MVP Platinum
MVP Platinum
3 weeks ago
Jump to solution

Btw, IF you end up doing cpstop; cpstart, please remember that cpstop always unloads the current policy, just something to keep in mind.

Andy

Best,
Andy
0 Kudos
Duane_Toler
MVP Silver
MVP Silver
3 weeks ago
Jump to solution

On the cluster gateway, you can run this command to see if it's connected to the management server (or log server, whichever is appropriate for you):

cpstat -f log_connection fw

If the log server is not reporting "Connected", then you may need to do some troubleshooting to learn why.

You can see what logging connections are attempted, by running this "netstat" command:

netstat -anp |grep ':257'

This will tell you what remote IP the gateway is attempting to reach.  If you see "ESTABLISHED", then the gateway is connected to a log server of some kind.  If you see anything else, then you have some kind of network issue.

Look at the "masters" file to see if there is some error or other issue:

ls -l $FWDIR/conf/masters
lsattr $FWDIR/conf/masters
cat $FWDIR/conf/masters

 If you see  "----i----------- /etc/fw/conf/masters" in the output of the second command, that means your file is read-only and it cannot be updated each time you do a policy install.  You often need this if your management server is hosted behind a NAT gateway, such as a CloudGuard management host.

If the output of the 3rd command looks wrong, then you need to learn why.

 

--
Ansible for Check Point APIs series: https://www.youtube.com/@EdgeCaseScenario and Substack
the_rock
MVP Platinum
MVP Platinum
3 weeks ago
In response to Duane_Toler
Jump to solution

Yes sir! All good points.

I believe below sk is also great reference.

Andy

https://support.checkpoint.com/results/sk/sk40090

Best,
Andy
0 Kudos
RemoteUser
Advisor
3 weeks ago
In response to the_rock
Jump to solution

thanks all for the tips!!

the_rock
MVP Platinum
MVP Platinum
3 weeks ago
In response to RemoteUser
Jump to solution

Glad we can help bro!

Best,
Andy
0 Kudos

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

View All ≫
Upcoming Events

    Sort by:
    CheckMates Events