This website uses cookies. By clicking Accept, you consent to the use of cookies. Click Here to learn more about how we use cookies.
Accept
Reject
ABOUT CHECKMATES & FAQ
Create a Post
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Help

Are you a member of CheckMates?

×
Sign in with your Check Point UserCenter/PartnerMap account to access more great content and get a chance to win some Apple AirPods! If you don't have an account, create one now for free!
OlKuts
Explorer
‎2022-02-21 04:04 AM

Gateways cannot send logs to DMS behind NAT after NAT address was changed

Hi,

 

We had MDS in HA with different DMS.  Gateways send logs to MDS using NATted address. 

All was ok before we changed public address for NAT for one of DMS. After we changed it gateways started logging locally and cannot send logs to Management Server.

IP was changed on SmartConsole and following sk103356.

cpstat fw -f log_connection shows:

Overall Status Description: Security Gateway is unable to report logs to any log server
Local Logging Mode Description: Writing logs locally due to connectivity problems

 

How can we fix it?

 

Thanks.

 

0 Kudos
3 Replies
Timothy_Hall
Champion
Champion
‎2022-02-21 07:14 AM

On a gateway that is logging locally, what IP address is the gateway trying to reach for sending logs?  Run netstat -an | grep :257 to to check this.  If it is still trying to send to the old IP address and policy has already been reinstalled, you'll probably need to kill the fwd daemon and let it restart.  Note that doing so will cause a failover in a HA environment and may cause brief traffic issues.  I've seen many situations where fwd refuses to let go of an old logging address, even though policy has been reinstalled with the new one set and restarting fwd is the only way to fix it.

If it is sending to the right NAT address you have some other connectivity issue, probably at the intervening gateway that is actually performing the NAT operation for the logging port 257 traffic.

New 2021 IPS/AV/ABOT Immersion Self-Guided Video Series
now available at http://www.maxpowerfirewalls.com
0 Kudos
OlKuts
Explorer
‎2022-02-22 03:50 AM
In response to Timothy_Hall

Thanks for your reply.

As I see gateways try to send logs to the new IP, but cpstat fw -f log_connection shows that Logs Servers are disconnected.

Also firstly I didn't do SIC reset on gateways, only changed IP for console object (Management Public IP) and in registry following sk103356. But when I did SIC reset after - IP in the registry has changed back to the old one.

New IP is from the same network as old one, that's why very strange what connectivity issue can be for it.

Do I need to make any changes on the MDS side?

0 Kudos
Timothy_Hall
Champion
Champion
‎2022-02-22 08:10 AM
In response to OlKuts

Yes so it is trying to hit the correct IP address for logging, but what is the state of the port 257 connection shown on the gateway by netstat?  SYN_SENT?  CONNECTED?  FIN?

New 2021 IPS/AV/ABOT Immersion Self-Guided Video Series
now available at http://www.maxpowerfirewalls.com
0 Kudos