- Products
- Learn
- Local User Groups
- Partners
- More
Check Point Jump-Start Online Training
Now Available on CheckMates for Beginners!
Why do Hackers Love IoT Devices so Much?
Join our TechTalk on Aug 17, at 5PM CET | 11AM EST
Welcome to Maestro Masters!
Talk to Masters, Engage with Masters, Be a Maestro Master!
ZTNA Buyer’s Guide
Zero Trust essentials for your most valuable assets
The SMB Cyber Master
Boost your knowledge on Quantum Spark SMB gateways!
As YOU DESERVE THE BEST SECURITY
Upgrade to our latest GA Jumbo
CheckFlix!
All Videos In One Space
Got one Checkpint gateway not sending logs to server/manager.
Gateway running R80.10.
Some checks from this list:
results:
2. not running out of disk psace, other gateways successfully send logs
3. Log setting correct, same as for gateways that do send logs
4. SIC working
6.
-sh-3.1# netstat -anp | grep ":257"
tcp 0 0 0.0.0.0:257 0.0.0.0:* LISTEN 9971/fwd
8. No logs coming from particular gw to server/manager while checking with tcpdump on port 257
Checking on gateway with tcpdump , tcp port 257 is used, looking like this:
22:55:20.502921 IP 212.123.209.155.64684 > 10.44.5.250.set: S 2036222826:2036222826(0) win 5840 <mss 1460,sackOK,timestamp 39556535 0,nop,wscale 10>
22:55:35.505245 IP GatewayA.45059 > manager/server.set: S 671424545:671424545(0) win 5840 <mss 1460,sackOK,timestamp 39571537 0,nop,wscale 10>
22:55:50.508439 IP GatewayA.46031 > manager/server.set: S 2285159981:2285159981(0) win 5840 <mss 1460,sackOK,timestamp 39586541 0,nop,wscale 10>
22:56:05.510607 IP GatewayA.52013 > manager/server.set: S 2007497722:2007497722(0) win 5840 <mss 1460,sackOK,timestamp 39601543 0,nop,wscale 10>
22:56:20.513890 IP GatewayA.65038 > manager/server.set: S 2658388405:2658388405(0) win 5840 <mss 1460,sackOK,timestamp 39616546 0,nop,wscale 10>
22:56:35.516815 IP GatewayA.39510 > manager/server.set: S 35097244:35097244(0) win 5840 <mss 1460,sackOK,timestamp 39631549 0,nop,wscale 10>
22:56:50.519180 IP GatewayA.55705 > manager/server.set: S 838505804:838505804(0) win 5840 <mss 1460,sackOK,timestamp 39646551 0,nop,wscale 10>
22:57:05.521406 IP GatewayA.41441 > manager/server.set: S 3340929611:3340929611(0) win 5840 <mss 1460,sackOK,timestamp 39661554 0,nop,wscale 10>
10. Firewall on gw is indeed growing locally
checked with
# watch -d -n 2 "ls -l $FWDIR/log/fw.log"
11.
# cat $FWDIR/conf/masters
showing name of manager/server
Point #8 above - we can only see TCP SYN sent from GW to MGMT on port 257 but there is no response. So it does not look like traffic is reaching MGMT server. Looks like you have another firewall in the path btw (gateway has public IP and mgmt private) so check that one too. Also you may run tcpdump on Mgmt server to see if traffic actually arrives from this GW.
You probably want to exclude actual IPs from here.. it's a public space
I added Management server host to the Gateway to enable it to resolve the name to a Public IP.
Below is the receipt of traffic on port 257 , tcpdumped on the management server for the gateway IP.
However, when looking for the logs in the manager in the Smart dashboard (logs & monitor) , it is still empty for the gateway.
-sh-3.1# tcpdump -n -i any host <Public IP Gateway> and tcp port 257
tcpdump: WARNING: Promiscuous mode not supported on the "any" device
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on any, link-type LINUX_SLL (Linux cooked), capture size 96 bytes
08:33:38.691310 IP <Public IP Gateway>.54526 > 10.44.5.250.set: S 859164784:859164784(0) win 5840 <mss 1460,sackOK,timestamp 78244671 0,nop,wscale 10>
08:33:39.116553 IP <Private IP Manager>.set > <Public IP Gateway>.54526: S 1179360162:1179360162(0) ack 859164785 win 5792<mss 1460,sackOK,timestamp 644653394 78244671,nop,wscale 10>
08:33:38.709728 IP <Public IP Gateway>.54526 > <Private IP Manager>.set: . ack 1 win 6 <nop,nop,timestamp 78244690 644653394>
08:34:38.710260 IP <Private IP Manager>.set > <Public IP Gateway>.54526: F 1:1(0) ack 1 win 6 <nop,nop,timestamp 644713414 78244690>
08:34:38.728833 IP <Public IP Gateway>.54526 > <Private IP Manager>.set: F 1:1(0) ack 2 win 6 <nop,nop,timestamp 78304714 644713414>
08:34:38.728854 IP <Private IP Manager>.set > <Public IP Gateway>.54526: . ack 2 win 6 <nop,nop,timestamp 644713432 78304714>
You probably will have to check one of these as next step
Troubleshooting "SmartCenter behind NAT" issues
Looking at the tcpdump - it stops TCP connection almost instantly so looks like Mgmt does not "recongise" that GW
Unfortunately no access to that Troubleshooting article with my account, yet ....
Dameon Welch Abernathy - (need to run by CP) can this article be given to the user as it seems appropriate for his case?
Unfortunately, we can't grant access to SKs.
I sometimes ask the SK team to adjust an article to a different permission level.
Do you have a "Log Implied Rules" enabled in the Global Properties, or have you defined a specific rule to log this traffic?
When you are saying that "I added Management server host to the Gateway to enable it to resolve the name to a Public IP.", are you hiding behind gateway's IP or have you assigned a separate public IP with Static NAT?
Log implied rules is not ticked, but I have created some rules specific to the gw with the logging option enabled.
What I meant is that I added the Management server public IP to the WEb UI of the gateway, in order for the gw to resolve the name to the correct -public - IP.
Management server is behind NAT.
Try doing the following:
About CheckMates
Learn Check Point
Advanced Learning
YOU DESERVE THE BEST SECURITY