cancel
Showing results for 
Search instead for 
Did you mean: 
Create a Post
Highlighted
Mike_A
Copper

Logging in R80.10 missing .xx on rules

Hello All, 

Since an upgrade on our P1 to R80.10, we have seen some unique logging issues (TAC is engaged and has also involved CFG, which is at ~day 90 right now with no indication as to what is causing this on a single domain).

In 11 out of 12 instances, (DOMAIN1 thru DOMAIN11), we have global policy assigned, total of 89 rules where rule 90 would start local policy. Logs show global rules hitting anywhere between 1-89 in SmartLog, and rules in local policy start at 90.1 - 90.X, where X is the last rule in local policy. 

There is a single domain/CLM/CMA (DOMAIN12) that is showing rules 1-89 OK in SmartLog, but, what would normally start at 90.1 is 90, then 91, 92 and so on. The 90.X logic is not being applied for a single domain/CLM/CMA. If I run an mdsstop_customer for the CLM in DOMAIN2, logs start being sent to the CMA, as it is the secondary log server, those logs also do not show 90.X, they are a normal 1-900 (if 900 rules were in policy). The problem is when SmartLog is used and a rule is hit, it does not indicate the actual rule # being hit. This is the same symptom if Tracker is used as well. 

Has anyone else seen this issue or resolved it?  

I've looked at sk131552, all 12 domains are configured the same, box is checked. 

Labels (1)
5 Replies

Re: Logging in R80.10 missing .xx on rules

Its a very long shot and tac probably checked it already but have you checked global properties:

In the SmartDashboard, go to Policy menu - click on the Global Properties....

Go to SmartDashboard Customization... pane - in the Advanced Configuration section, click on the Configure... button.

Expand the Firewall-1 - click on the General.

check box rulebase_uids_in_log

0 Kudos
Mike_A
Copper

Re: Logging in R80.10 missing .xx on rules

Kaspars, thanks for the feedback, yea, it was the very first thing we tried. I also mentioned in my original post that this was attempted, all 12 domains are the same. I even went as far as to turn it off on the "issue" domain. Install policy and database, then enable it again, still experienced the same issues.  

SmartLog shows incorrect rule ID - sk131552

0 Kudos
Admin
Admin

Re: Logging in R80.10 missing .xx on rules

Send me the SR in a PM.

0 Kudos
Mike_A
Copper

Re: Logging in R80.10 missing .xx on rules

Thanks Dameon. I have to get CFG some more information. It looks like in SMC, the numbers are not in a 90.XX format but when in SVT, the rule name represents the 90.XX_NAME. 

This is something that was just observed yesterday so I need to gather them some more information and the raw .log file so they can observe. I don't want to waste your time, although I appreciate it! If this next round of information gathering does not get some results as to whats going on. I will send over the SR in a PM. 

Thanks!

- Mike 

0 Kudos
Mike_A
Copper

Re: Logging in R80.10 missing .xx on rules

Ok, so just adding some updates that I found here. It looks like in DOMAIN12, there is a gateway reporting rules hit

correctly with the 90.XX in SVT as well as SmartLog. This gateway that is reporting in correctly is running R77.30. When I opened this ticket all gateways in DOMAIN12 were lower than R77.30. We have a  number of engineers and I am not always told when a gateway is upgraded to correlate when/if an issue goes away. 

I took this logic and went on to DOMAIN11, 2 weeks ago I upgraded a cluster from R75.40 to R77.30 JFH 338. That gateway in DOMAIN11 is reporting correctly. I looked at this gateways "sister" cluster in our second DC (same DOMAIN11) which I have not yet upgraded, it is running R77 flat. This gateway in DOMAIN11 is also NOT reporting correctly.

This does not look to be a CMA/CLM specific issue. we have such high log volume in the other domains that when SMC was used and just looked out with the naked eye, all logs looked to have had 90.XX. This looks to be a GW version specific issue, not so much Mgmt. I know Check Point always says to run the most current version of code. With that, I cannot be the only customer running R80.10 Mgmt with gateways below R77.30, do any other customers, running R80.10 Mgmt, with gateways below R77.30 see this same behavior? 

Dameon Welch-Abernathy‌ im going to take the finding above. Modify the DOMAIN11/12 with my real domains as Diamond has a replication of our MDS in their lab, and I will then send you over the SR.