Re: MGT server not receiving logs

JonWilliams · ‎2022-09-05

Hi,

We have had an issue where our CP fw's do not send logs to the mgt server . We have had a ticket open with CP since Jan. We have had remote sessions etc, sent logs off of to them but no joy. It stopped working since we reloaded them and applied a hotfix.

We had a workaround where we could delete the mgt server from the cluster, push a policy, add it back in again, push a policy and it would work until we pushed a another policy and we had to repeat the process again.

This has now stopped working for some reason! We are running 80.30 on GAIA (5200) with the mgt server on a diff internal ip address to the two firewalls.

I have been off work for two weeks and this could be one of the most stupid questions you have ever received but in the rule base we have the mgt server allowed to talk to the firewalls but not the other way round. I'm sure nobody has changed this since i have been off but would this now be a factor or was it from the beginning ? Excuse my ignorance but CP are not my speciality.

Thanks

Jon.

Dario_Perez · ‎2022-09-05

1.- Check if you have a NAT what can affect SMS and GW

2.-Create a dummy log server and change in the gateway to send log to that one, push policy and rever the changes.

3.-Check the disk space on management sk60080

4.-check on SMS if you are listeninglogs with tcpdump -anp | grep :257 sk40090

Tal_Paz-Fridman · ‎2022-09-05

Adding to what @Dario_Perez wrote, you stated that "push a policy and it would work until we pushed a another policy and we had to repeat the process again."

This definitely sounds like something in the policy might cause this. Is there another Security Gateway in-between the Security Management and other Gateways?
I would also check the Anti-Spoofing definitions (try to disable) and Implied Rule settings.

Also can you share the ticket (SR) you opened with TAC?

JonWilliams · ‎2022-09-06

Hi thanks Guys,

ticket with TAC is 6-0003125417

I was on the phone with CP for two hours today.

When they edited the file the "masters" file and replaced the "log" name with the ip address of the mgt server, logging started straight away.

As soon as i pushed a policy it stopped working.

The command cpstat fw -f log_connection showed the floating public ip address as the log server after the policy was pushed which is the issue.

When they edited the masters file with the local mgt ip address it was working which was correct.

They suggested setting up a no nat rule from the fw's to the mgt server ?

They then said to hold fire on this whilst they investigate further. Thoughts ?

Thanks

JonWilliams · ‎2022-09-07

Hi,

Ticket number is 6-0003125417

When the masters file was edited to use the ip address instead of them name it worked. When we push a policy it stops working again.

Where does the masters file get the ip address for the mgt server ? Is it via the DNS server used on the fw ?

Thanks

Tal_Paz-Fridman · ‎2022-09-07

It should take it from the actual database.

What about the previous questions - like Management behind NAT, Gateway between Management and other Gateways, Anti-Spoofing etc.

JonWilliams · ‎2022-09-07

Hi,

When we push a policy the master file record for log changes from the ip address to the logging server name. Should that happen ?

Rgds,

RS_Daniel · ‎2022-09-07

Hello,

Yes, that is the expected behavior. The keep your changes after policy installation follow sk102712. It is specific per gateway/cluster, if you have many gateways managed by this server, you have to do this in every gateway.

You can also check if the gateway is trying to send logs to a wrong IP address with cpstat -f log_connection fw.

Regards

the_rock · ‎2022-09-07

The default in masters file should be the name. Here is workaround I did many times:

-create CP host where you can enable logging (NOT regular host where you just place IP and name)

-give it same IP as mgmt server

save, install database on ACTUAL mgmt server

-open gateway object, go to logging and select new object you created for logging

-push policy -> test -> if it works, give it few mins, revert changes and test

-if it works, great, if not, then I would follow below:

https://supportcenter.checkpoint.com/supportcenter/portal?eventSubmit_doGoviewsolutiondetails=&solut...

Andy

Best,
Andy

JonWilliams · ‎2022-09-08

Hi Alan,

Thanks for the mail. Where do i create this and do i have to delete the original entry for the logging server ?

Sorry, my cp skills are not great.

Rgds,

Jon.

the_rock · ‎2022-09-08

Message me privately and we can do remote, if privacy is a concern, I can show it to you in my lab.

Andy

Best,
Andy

JonWilliams · ‎2022-09-09

Hi Andy,

Thanks, are you available on Monday from say midday bst ?

Rgds,

the_rock · ‎2022-09-09

I should be, yes.

Best,
Andy

Shira · ‎2023-09-27

Hi,

What resolved your issue?

WR,

Shira

Are you a member of CheckMates?

MGT server not receiving logs