This website uses Cookies. Click Accept to agree to our website's cookie use as described in our Privacy Policy. Click Preferences to customize your cookie settings.
Accept
Reject
Preferences
ABOUT CHECKMATES CYBER SECURITY COMMUNITY & FAQ
Create a Post
Help
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
D_Riddleberger
Contributor
Contributor
‎2025-04-09 07:07 AM

Maestro Audit Logs - Deleted IP Address 192.0.2.2 on logical interface (Sync)

Maestro - Seeing these events in Audit Logs

Delete Object - Deleted IP Address 192.0.2.2 on logical interface (Sync).

Set Object - Logical Interface (Sync) is configured with IP Address 192.0.2.2/24

 

Seems to be occurring in the evenings several times per week and the two events will repeat multiple times and then subside. There are no reports of any traffic issues during these times.

MHO is R81.20 HF-92 and SGMs are R81.20 HF-76

The events can also be seen in a SmartLog search using criteria - objectname:Interfaces

0 Kudos
6 Replies
Lesley
Authority Authority
Authority
‎2025-04-14 12:25 PM

Any clues in /var/log/messages during issue? Does this event occurs during policy push? 

Maybe quick hardware / port check of the Sync port, to make sure it works as it should:

https://support.checkpoint.com/results/sk/sk180812

-------
If you like this post please give a thumbs up(kudo)! 🙂
D_Riddleberger
Contributor
Contributor
‎2025-04-15 11:47 AM
In response to Lesley

April 15, 2025

Detailed analysis shows these may be related to reboots, although not initially confirmed as a scheduled reboot but an unscheduled reboot which was more so related to an HFA update. More to come as the Audit logs showing details for 'Deleted IP Address 192.0.2.2 on logical interface (Sync)' are well preserved but not always the case with message files and cpuse install details.

0 Kudos
D_Riddleberger
Contributor
Contributor
‎2025-04-17 05:58 AM
In response to D_Riddleberger

April 17, 2025.

We can positively say that this error is directly related to SGM reboots. So now we know who, what, where and when but 'why' is still not determined. 

0 Kudos
Lesley
Authority Authority
Authority
‎2025-04-17 12:19 PM
In response to D_Riddleberger

JHF installation can ofcourse change config on the unit itself. So question is, does this only happen during JHF install? Or every reboot? Is there any impact? 

-------
If you like this post please give a thumbs up(kudo)! 🙂
0 Kudos
D_Riddleberger
Contributor
Contributor
‎2025-04-18 08:33 AM
In response to Lesley

According to our records it occurs whenever there is a reboot and the specific 192.0.2.x IP address in the audit logs would correlate to the Sync IP address of the associated SGM being rebooted. Because reboots and/or HFA installs are 'scheduled' and performed off-hours, there has not been any reported impacts. I also suspect that with Maestro's SGM load-balancing, then there would most likely never be a report of an outage. That is, unless all SGM's were being rebooted and/or upgraded at the same time and in that case, there would certainly be a scheduled outage. We are still investigating the 'why' factor. More to come....

0 Kudos
D_Riddleberger
Contributor
Contributor
a month ago
In response to D_Riddleberger

8/12/25 - Update received from TAC, there is a fix coming, no ETA at this time but the fix id is PMTR-116320. 

0 Kudos

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

View All ≫
 
Upcoming Maestro Events

    CheckMates Events