This website uses Cookies. Click Accept to agree to our website's cookie use as described in our Privacy Policy. Click Preferences to customize your cookie settings.
Accept
Reject
Preferences
ABOUT CHECKMATES CYBER SECURITY COMMUNITY & FAQ
Create a Post
Help
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

Are you a member of CheckMates?

×
Sign in with your Check Point UserCenter/PartnerMap account to access more great content and get a chance to win some Apple AirPods! If you don't have an account, create one now for free!
wanartisan
Contributor
‎2024-08-27 03:02 AM
Jump to solution

Traffic Logs post-migration

Hi Checkmates,

My first post. Be gentle 😉

I inherited an R80.40 (Take 211) Cloudguard Network Security environment in Azure (HA deployment). We have migrated the management to Smart-1 Cloud as part of our DR improvement and upgrade project for this environment. 

The migration went well (so management is now R81.20) but we now have no traffic logs. MaaS tunnel is up, we can push policy,  but log server shows disconnected:

Log Servers Connections
---------------------------------------------------------
|IP |Status|Status Description |Sending Rate|
---------------------------------------------------------
|100.64.0.52| 1|Log-Server Disconnected| 0|
---------------------------------------------------------

[Expert@GW_1:]# cat /etc/fw/conf/masters
[Policy]
NAME
[Log]
NAME
[Alert]
NAME

(where NAME is the name of the management server object with standard IP of 100.64.0.52).

Does anyone know how to get the Log Server  connected?

Thanks,

 

 

0 Kudos
2 Solutions

Accepted Solutions
_Val_
Admin
Admin
‎2024-08-27 03:20 AM
Jump to solution

Just a thought, try installing the database to all servers, and check if the log server's SIC is up

View solution in original post

0 Kudos
wanartisan
Contributor
‎2024-09-16 03:56 AM
In response to _Val_
Jump to solution

To close this off, Install Database did work. Not sure why it didn't the first time (I'm sure it was one of the first things I did...) 

View solution in original post

0 Kudos
11 Replies
_Val_
Admin
Admin
‎2024-08-27 03:20 AM
Jump to solution

Just a thought, try installing the database to all servers, and check if the log server's SIC is up

0 Kudos
wanartisan
Contributor
‎2024-08-27 03:30 AM
In response to _Val_
Jump to solution

I'm sure I did that. I was following sk38848. Also checked masters file is not immutable. 

The log server is the Smart-1 Cloud so SIC is working. 

None of the connectivity tests work from that sk. But there is a route

100.64.0.0 * 255.255.255.0 U 0 0 0 maas_tunnel

0 Kudos
AkosBakos
Leader Leader
Leader
‎2024-08-27 05:20 AM
In response to wanartisan
Jump to solution

Hi @wanartisan 

What does the #cpstat mg -f log_server say?

The main IP of the SmartCenter changed?

Last time, I ran into almost the same issue. In that scenario the SmartCenter was on-prem, and the GW-s were in Cloud, The GW-s send the logs to  the wrong IP, the main IP of the smartCenter was unreachable for them. (because of routing and security issues)

We changed the LOG IP in masters file on the  GWs, according to this articles:

https://support.checkpoint.com/results/sk/sk40090

https://support.checkpoint.com/results/sk/sk105280 

and a few related articles:

https://support.checkpoint.com/results/sk/sk146112

https://support.checkpoint.com/results/sk/sk102712

I hope it helps,

 

Akos

 

 

 

----------------
\m/_(>_<)_\m/
wanartisan
Contributor
‎2024-08-27 05:30 AM
In response to AkosBakos
Jump to solution

[Expert@GW1:0]# cpstat mg -f log_server
No product has flag 'mg'

Yes, the log server IP has changed to 100.64.0.52 which is the same IP Smart-1 Cloud always uses for the management object. In cplog_debug.elg you can see the migration script changes the IP

 

[9611 3981629376]fwd@GW1[Thu Aug 15 20:55:12 2024] ResetLogServers: The ip of [MGMT_NAME] was changed, the old ip is [OLD IP], the new ip is 100.64.0.52

The log also shows connectivity good to the old IP then connectivity failing to the new IP. 

0 Kudos
AkosBakos
Leader Leader
Leader
‎2024-08-27 05:37 AM
In response to wanartisan
Jump to solution

Hi @wanartisan 

Sorry, de correct syntax for LOG servers is this: cpstat ls  -f logging

Try to edit the MASTERS file, check this https://support.checkpoint.com/results/sk/sk105280

PART 2: Edit the $FWDIR/conf/masters file to contain the desired IP address of the Log Server

Cheers,

Akos

----------------
\m/_(>_<)_\m/
0 Kudos
wanartisan
Contributor
‎2024-08-27 05:47 AM
In response to AkosBakos
Jump to solution

[Expert@GW1:0]# cpstat ls -f logging
No product has flag 'ls'

If you see my output above for cat /etc/fw/conf/masters you should see that the log server is set to the management object and that management object has the new IP of 100.64.0.52. 

0 Kudos
AkosBakos
Leader Leader
Leader
‎2024-08-27 07:05 AM
In response to wanartisan
Jump to solution

Hi @wanartisan 

In this case the NAME means de FQDN of the SmartCenter?
When I modified the masters file, i used IP insted of FQDN.

Akos

----------------
\m/_(>_<)_\m/
0 Kudos
wanartisan
Contributor
‎2024-08-27 07:48 AM
In response to AkosBakos
Jump to solution

Hi,

Yes NAME = the name of the object in SmartConsole (with IP 100.64.0.52).

I am a bit sceptical this change will help if the IP connectivity tests to the LogServer (Samrt-1 Cloud) aren't working.  

0 Kudos
AkosBakos
Leader Leader
Leader
‎2024-08-27 07:53 AM
In response to wanartisan
Jump to solution

Hi @wanartisan 

Yes, first the connectivity.

Akos

----------------
\m/_(>_<)_\m/
0 Kudos
_Val_
Admin
Admin
‎2024-08-27 11:48 PM
In response to wanartisan
Jump to solution

If connectivity does not work at all, that must be your clue. If you are still struggling with it, I suggest a TAC case.

(1)
wanartisan
Contributor
‎2024-09-16 03:56 AM
In response to _Val_
Jump to solution

To close this off, Install Database did work. Not sure why it didn't the first time (I'm sure it was one of the first things I did...) 

0 Kudos

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

View All ≫
Upcoming Events

    Sort by:
    CheckMates Events