This website uses Cookies. Click Accept to agree to our website's cookie use as described in our Privacy Policy. Click Preferences to customize your cookie settings.
Accept
Reject
Preferences
ABOUT CHECKMATES CYBER SECURITY COMMUNITY & FAQ
Create a Post
Help
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

Are you a member of CheckMates?

×
Sign in with your Check Point UserCenter/PartnerMap account to access more great content and get a chance to win some Apple AirPods! If you don't have an account, create one now for free!
Cihat_Bulut
Contributor
Contributor
‎2019-01-31 11:53 PM
Jump to solution

Gateway logs on Smartlog after SMS outages

Hi,

I have network logs on my gateway when I have stopped the manager (cpstop on SMS)

On the output of my "fw log -n - p" command on gateway, I see many connection logs on that time interval. When I search the connections on my Smartlog after cpstrat of my SMS, I could not see the same connection logs on the Smartlog.

What may be the reason? Does SMS gets the logs automatically after cpstart or that I should do some manuel process?

B.R.

1 Solution

Accepted Solutions
Peter_Lyndley
Advisor
Advisor
‎2019-02-05 05:22 AM
In response to JozkoMrkvicka
Jump to solution

hi,

Just to help here, I came across several 'issues' in R77.30 where once the logging stopped to a log server , it never restarted by itself.

Only way we found was to create a dummy object in the policy, add that as the log server, push policy, then put back the original log server object, push policy again.

This was the only foolproof method we found.

However If you want to configure gateways to send any locally collected logs to the SMS/MDS once the connection is back up, you need to go under Logs > Additional Logging on the gateway or cluster object and configure Forward Logs to Log Server and specify a time interval (midnight). This may be different in R80 but certainly worked in r77.30.

thanks

Peter

View solution in original post

12 Replies
G_W_Albrecht
Legend Legend
Legend
‎2019-02-01 01:27 AM
Jump to solution

When SMS is unavailable, GWs switch to local logging. But you can manually copy the missing logs to the SMS, rebuild the index and all should be fine. Please check the document SMB security log files i wrote some time ago for details !

CCSP - CCSE / CCTE / CTPS / CCME / CCSM Elite / SMB Specialist
0 Kudos
Cihat_Bulut
Contributor
Contributor
‎2019-02-01 01:46 AM
In response to G_W_Albrecht
Jump to solution

If I do not do this manuel process, all logs will be kept in the gateway. If I lost the gw, I will lost the logs also. I think it should be an automatic process as soon as SMS comes back online.

0 Kudos
JozkoMrkvicka
Authority
Authority
‎2019-02-01 01:46 AM
Jump to solution

You need to push policy and after that gateway will start logging to SMS (in case 257/tcp port is reachable towards SMS and SMS is fully cpstarted).

Kind regards,
Jozko Mrkvicka
0 Kudos
G_W_Albrecht
Legend Legend
Legend
‎2019-02-01 01:59 AM
In response to JozkoMrkvicka
Jump to solution

Where did you get that information from ? There are some cases when policy install is necessary, but here, a cprestart on SMS will do the job. Afaik GW will connect again to the SMS when logging port 257 is open again for receiving...

CCSP - CCSE / CCTE / CTPS / CCME / CCSM Elite / SMB Specialist
0 Kudos
JozkoMrkvicka
Authority
Authority
‎2019-02-01 02:18 AM
In response to G_W_Albrecht
Jump to solution

The logic may be changed within R80.x, but as we are still using R77.30 (MDS / GW), it was observed like I described.

We are using 2 dedicated logservers, and in case 1 of them went down, the gateways will start logging locally no matter if logserver went up again in few minutes. We had to push the policy, or remove logserver which was down and push the policy to start logging only to one logserver. We will do maintenance on 1 logserver soon, so I can verify that behaviour again.

Kind regards,
Jozko Mrkvicka
Peter_Lyndley
Advisor
Advisor
‎2019-02-05 05:22 AM
In response to JozkoMrkvicka
Jump to solution

hi,

Just to help here, I came across several 'issues' in R77.30 where once the logging stopped to a log server , it never restarted by itself.

Only way we found was to create a dummy object in the policy, add that as the log server, push policy, then put back the original log server object, push policy again.

This was the only foolproof method we found.

However If you want to configure gateways to send any locally collected logs to the SMS/MDS once the connection is back up, you need to go under Logs > Additional Logging on the gateway or cluster object and configure Forward Logs to Log Server and specify a time interval (midnight). This may be different in R80 but certainly worked in r77.30.

thanks

Peter

Cihat_Bulut
Contributor
Contributor
‎2019-02-05 10:21 PM
In response to Peter_Lyndley
Jump to solution

Hi Peter,

Thank you for your reply. 

As I understood, it is a scheduled (at midnight) process, gw does not send the logs as soon as the sms gets online. Am I right? Then, Is there a way to make it in that way?

BR

0 Kudos
Peter_Lyndley
Advisor
Advisor
‎2019-02-06 12:50 AM
In response to Cihat_Bulut
Jump to solution

Hi ,

You can create a schedule object for whatever time you like

Thanks

Peter

Cihat_Bulut
Contributor
Contributor
‎2019-02-07 01:39 AM
In response to Peter_Lyndley
Jump to solution

I have scheduled as 3 minutes. It works. Thanks. Now the smartlog shows the outage logs and removes them from the gw. 

G_W_Albrecht
Legend Legend
Legend
‎2019-02-06 12:58 AM
In response to Cihat_Bulut
Jump to solution

There is a log file switch performed by default at midnight. Any other log file switches are additional.

CCSP - CCSE / CCTE / CTPS / CCME / CCSM Elite / SMB Specialist
0 Kudos
JozkoMrkvicka
Authority
Authority
‎2019-02-06 03:21 PM
In response to G_W_Albrecht
Jump to solution

If log file reached 2GB in size, then will be switched automatically.

Kind regards,
Jozko Mrkvicka
0 Kudos
G_W_Albrecht
Legend Legend
Legend
‎2019-02-05 05:29 AM
In response to JozkoMrkvicka
Jump to solution

I see - so what i said is only true for GW sending directly to SMS only (in that deployment, logging changed to SMS again).

CCSP - CCSE / CCTE / CTPS / CCME / CCSM Elite / SMB Specialist

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

View All ≫
Upcoming Events

    Sort by:
    CheckMates Events