Create a Post
cancel
Showing results for 
Search instead for 
Did you mean: 
Mike_A
Advisor

Logging in R80.10 missing .xx on rules

Hello All, 

Since an upgrade on our P1 to R80.10, we have seen some unique logging issues (TAC is engaged and has also involved CFG, which is at ~day 90 right now with no indication as to what is causing this on a single domain).

In 11 out of 12 instances, (DOMAIN1 thru DOMAIN11), we have global policy assigned, total of 89 rules where rule 90 would start local policy. Logs show global rules hitting anywhere between 1-89 in SmartLog, and rules in local policy start at 90.1 - 90.X, where X is the last rule in local policy. 

There is a single domain/CLM/CMA (DOMAIN12) that is showing rules 1-89 OK in SmartLog, but, what would normally start at 90.1 is 90, then 91, 92 and so on. The 90.X logic is not being applied for a single domain/CLM/CMA. If I run an mdsstop_customer for the CLM in DOMAIN2, logs start being sent to the CMA, as it is the secondary log server, those logs also do not show 90.X, they are a normal 1-900 (if 900 rules were in policy). The problem is when SmartLog is used and a rule is hit, it does not indicate the actual rule # being hit. This is the same symptom if Tracker is used as well. 

Has anyone else seen this issue or resolved it?  

I've looked at sk131552, all 12 domains are configured the same, box is checked. 

12 Replies
Kaspars_Zibarts
Employee Employee
Employee

Its a very long shot and tac probably checked it already but have you checked global properties:

In the SmartDashboard, go to Policy menu - click on the Global Properties....

Go to SmartDashboard Customization... pane - in the Advanced Configuration section, click on the Configure... button.

Expand the Firewall-1 - click on the General.

check box rulebase_uids_in_log

Mike_A
Advisor

Kaspars, thanks for the feedback, yea, it was the very first thing we tried. I also mentioned in my original post that this was attempted, all 12 domains are the same. I even went as far as to turn it off on the "issue" domain. Install policy and database, then enable it again, still experienced the same issues.  

SmartLog shows incorrect rule ID - sk131552

PhoneBoy
Admin
Admin

Send me the SR in a PM.

0 Kudos
Mike_A
Advisor

Thanks Dameon. I have to get CFG some more information. It looks like in SMC, the numbers are not in a 90.XX format but when in SVT, the rule name represents the 90.XX_NAME. 

This is something that was just observed yesterday so I need to gather them some more information and the raw .log file so they can observe. I don't want to waste your time, although I appreciate it! If this next round of information gathering does not get some results as to whats going on. I will send over the SR in a PM. 

Thanks!

- Mike 

0 Kudos
Mike_A
Advisor

Ok, so just adding some updates that I found here. It looks like in DOMAIN12, there is a gateway reporting rules hit

correctly with the 90.XX in SVT as well as SmartLog. This gateway that is reporting in correctly is running R77.30. When I opened this ticket all gateways in DOMAIN12 were lower than R77.30. We have a  number of engineers and I am not always told when a gateway is upgraded to correlate when/if an issue goes away. 

I took this logic and went on to DOMAIN11, 2 weeks ago I upgraded a cluster from R75.40 to R77.30 JFH 338. That gateway in DOMAIN11 is reporting correctly. I looked at this gateways "sister" cluster in our second DC (same DOMAIN11) which I have not yet upgraded, it is running R77 flat. This gateway in DOMAIN11 is also NOT reporting correctly.

This does not look to be a CMA/CLM specific issue. we have such high log volume in the other domains that when SMC was used and just looked out with the naked eye, all logs looked to have had 90.XX. This looks to be a GW version specific issue, not so much Mgmt. I know Check Point always says to run the most current version of code. With that, I cannot be the only customer running R80.10 Mgmt with gateways below R77.30, do any other customers, running R80.10 Mgmt, with gateways below R77.30 see this same behavior? 

Dameon Welch-Abernathy‌ im going to take the finding above. Modify the DOMAIN11/12 with my real domains as Diamond has a replication of our MDS in their lab, and I will then send you over the SR. 

DIEHARD
Participant

Did you ever find the answer to this?

I am experiencing the same thing after upgrading my MDS and Firewalls to r80.40. Previously in r80.20 it was working as expected.

The logs now however only show the base rule number "51" and not the "51.135" as expected. I can go into the log and select the Matched Rules tab and see the sub rule that was hit but this is frustrating to have to do.

I tried the fix in sk131552 but that option was already selected.

I can open a case but figured as what you are describing is pretty much what i am seeing maybe whatever you where able to do to fix this will still be the case for me assuming you did get this resolved! 😉

Let me know!

EDIT: I should note that it does show the correct Access Rule Name and Number if it manages to hit the cleanup rule at the end.. but that's the only time it shows up correctly in the logs.

Dror_Aharony
Employee Alumnus
Employee Alumnus

R80.40 for both MDS & Gateways.

R80.20 worked as expected - interesting.

 

Can you share a picture of your matched rules to see the exact policy's layers in this scenario.

is your desired rule in the 1st 'FW' layer?

 

 

DIEHARD
Participant

Here are examples of what I am seeing. This is just a snippit but i think has enough detail to show what i am seeing.

You can see the Drop cleanup rule shows the exact rule # but anything that is accepted does not.Log Output.JPG

If I go into one of the logs. You can see it does have the exact rule that was matched listed.

Log Output Details.JPG

Here is the rule it is matching.

Rule Number.JPG

Dror_Aharony
Employee Alumnus
Employee Alumnus

I see. Drop rules are shown properly with X.Y, but Accept rules do not.

Are you sure these same Logs of Accept rules were shown properly as 51.1 (X.y) on R80.20?

I'll look into it...

 

 

DIEHARD
Participant

Yup it used to show the exact rule hit for the accept rules.. It also showed the correct Access Rule Name too.

DIEHARD
Participant

Obviously a crazy week but has anyone found anything on this yet? I would just open a ticket but no one seems to be responding to open tickets right now anyway so am hoping the forums can help.

0 Kudos
DIEHARD
Participant

I will open a TAC case on this i guess as it's very frustrating to no longer be able to simply right click and add to a filter when you don't see the exact rule being matched.. also having to open each individual log to see what rule is actually being hit is just too time consuming.

If anyone has heard anything further on this let me know!

0 Kudos

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

Upcoming Events

    CheckMates Events