Create a Post
cancel
Showing results for 
Search instead for 
Did you mean: 
JonWilliams
Explorer

MGT server not receiving logs

Hi,

 

We have had an issue where our CP fw's do not send logs to the mgt server . We have had a ticket open with CP since Jan. We have had remote sessions etc, sent logs off of to them but no joy. It stopped working since we reloaded them and applied a hotfix.

 

We had a workaround where we could delete the mgt server from the cluster, push a policy, add it back in again, push a policy and it would work until we pushed a another policy and we had to repeat the process again.

 

This has now stopped working for some reason! We are running 80.30 on GAIA (5200) with the mgt server on a diff internal ip address to the two firewalls. 

 

I have been off work for two weeks and this could be one of the most stupid questions you have ever received but in the rule base we have the mgt server allowed to talk to the firewalls but not the other way round. I'm sure nobody has changed this since i have been off but would this now be a factor or was it from the beginning ? Excuse my ignorance but CP are not my speciality.

 

Thanks

 

Jon.

0 Kudos
13 Replies
Dario_Perez
Employee Employee
Employee

1.- Check if you have a NAT what can affect SMS and GW

2.-Create a dummy log server and change in the gateway to send log to that one, push policy and rever the changes. 

3.-Check the disk space on management sk60080

4.-check on SMS if you are listeninglogs with tcpdump -anp | grep :257 sk40090

 

0 Kudos
Tal_Paz-Fridman
Employee
Employee

Adding to what @Dario_Perez wrote, you stated that "push a policy and it would work until we pushed a another policy and we had to repeat the process again."

This definitely sounds like something in the policy might cause this. Is there another Security Gateway in-between the Security Management and other Gateways?
I would also check the Anti-Spoofing definitions (try to disable) and Implied Rule settings. 

 

Also can you share the ticket (SR) you opened with TAC?

0 Kudos
JonWilliams
Explorer

Hi thanks Guys,

 

ticket with TAC is 6-0003125417

 

I was on the phone with CP for two hours today.

 

When they edited the file the "masters" file and replaced the "log" name with the ip address of the mgt server, logging started straight away.

 

As soon as i pushed a policy it stopped working.

 

The command cpstat  fw -f log_connection showed the floating public ip address as the log server after the policy was pushed  which is the issue.

 

When they edited the masters file with the local mgt ip address it was working which was correct.

 

They suggested setting up a no nat rule from  the fw's to the mgt server ?

 

They then said to hold fire on this whilst they investigate further. Thoughts ?

 

Thanks

 

 

0 Kudos
JonWilliams
Explorer

Hi,

 

Ticket number is 6-0003125417

 

When the masters file was edited to use the ip address instead of them name it worked. When we push a policy it stops working again.

 

Where does the masters file get the ip address for the mgt server ? Is it via the DNS server used on the fw ?

 

Thanks

0 Kudos
Tal_Paz-Fridman
Employee
Employee

It should take it from the actual database.

What about the previous questions - like Management behind NAT, Gateway between Management and other Gateways, Anti-Spoofing etc.

0 Kudos
JonWilliams
Explorer

Hi,

 
When we push a policy the master file record for log changes from the ip address to the logging server name. Should that happen ? 
 
Rgds,

 

 

0 Kudos
RS_Daniel
Advisor

Hello,

Yes, that is the expected behavior. The keep your changes after policy installation follow sk102712. It is specific per gateway/cluster, if you have many gateways managed by this server, you have to do this in every gateway.

You can also check if the gateway is trying to send logs to a wrong IP address with cpstat -f log_connection fw. 

Regards

0 Kudos
the_rock
Legend
Legend

The default in masters file should be the name. Here is workaround I did many times:

-create CP host where you can enable logging (NOT regular host where you just place IP and name)

-give it same IP as mgmt server

save, install database on ACTUAL mgmt server

-open gateway object, go to logging and select new object you created for logging

-push policy -> test -> if it works, give it few mins, revert changes and test

-if it works, great, if not, then I would follow below:

 

https://supportcenter.checkpoint.com/supportcenter/portal?eventSubmit_doGoviewsolutiondetails=&solut...

https://supportcenter.checkpoint.com/supportcenter/portal?eventSubmit_doGoviewsolutiondetails=&solut...

Andy

0 Kudos
JonWilliams
Explorer

Hi Alan,

 

Thanks for the mail. Where do i create this and do i have to delete the original entry for the logging server ?

 

Sorry, my cp skills are not great.

 

Rgds,

 

Jon.

0 Kudos
the_rock
Legend
Legend

Message me privately and we can do remote, if privacy is a concern, I can show it to you in my lab.

Andy

0 Kudos
JonWilliams
Explorer

Hi Andy,

 

Thanks, are you available on Monday from say midday bst ?

 

Rgds,

 

 

0 Kudos
the_rock
Legend
Legend

I should be, yes.

0 Kudos
Shira
Participant

Hi,

 

What resolved your issue?

WR,

Shira

0 Kudos

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

Upcoming Events

    CheckMates Events