Create a Post
cancel
Showing results for 
Search instead for 
Did you mean: 
Highlighted

Cannot open packet capture files in ips log

hi,

There is a newly installed vs on a vsx cluster, that we cannot open or download the packet capture file from the log entry. Forensics is enabled in tracking, the files are generated, but when clicking on the cap file link in the log entry in smartconsole, we only get

"failed at getting the incident file from the gateway"

 

$FWDIR/log/forensics folder is empty, on the vs, and vs0, nothing on the log server either. 

Is there a timelimit for how long these files are accessible, and can this then be adjusted? Or is this a bug?

The vsx cluster is running R80.30.

0 Kudos
3 Replies
Highlighted

Re: Cannot open packet capture files in ips log

Try bringing up the log entries and associated captures using the old SmartView Tracker (CPlgv.exe).  Does that work?  This will help determine if it is some kind of SmartEvent problem.  Also try bringing up the capture via the SmartView web interface at https://(IP OF SMS)/smartview

If none of these alternative options work, something is broken with the transfer of IPS packet captures, which should be transferred automatically between the VS gateway and the Log Server/SMS when they are taken.

 

Book "Max Power 2020: Check Point Firewall Performance Optimization" Third Edition
Now Available at www.maxpowerfirewalls.com
0 Kudos
Highlighted

Re: Cannot open packet capture files in ips log

 

hi,

 

Thanks for the response. Tried accessing both alternatives, but no option to download, as the packet capture is not a proper link, just text.

So this further strengthens the theory that is a bug, so i have opened a case with TAC.

 

 

0 Kudos
Highlighted

Re: Cannot open packet capture files in ips log

OK, please post and let us know what you find out with TAC.

Book "Max Power 2020: Check Point Firewall Performance Optimization" Third Edition
Now Available at www.maxpowerfirewalls.com
0 Kudos