Create a Post
cancel
Showing results for 
Search instead for 
Did you mean: 
Teddy_Brewski
Contributor

No logs from VSs

Hello,

Several clusters running on open servers and managed by one Management Server (all running R80.40 with the latest jumbo).

I configured additional VSX and I'm having problems receiving logs from VSs. I have no issues pushing the policy and I do get logs from VSX nodes (for example NTP or FW1_log) but nothing from VSs.

I followed sk102712 and modified $FWDIR/conf/masters in the VS context to point to the IP address of the management server but it didn't seem to help. I think it still tries to contact the NATed IP of the management.

As per /opt/CPsuite-R80.40/fw1/CTX/CTX00001/log/fwd.elg:

[FWD 29009]@FW-VSX-N01[8 Jan 11:15:48] 11:15:48: srv_disconnected: change xxx.xxx.xxx.xxx status to Status ERROR description: Log-Server Disconnected
log_connected: connect to 'xxx.xxx.xxx.xxx' failed

Where xxx is the NATed IP of the management.

Any help would be greatly appreciated.

Thank you.

0 Kudos
6 Replies
RickHoppe
Advisor

Hi Teddy,

Try adding a dummy object for your logserver with the NATted IP. Add the dummy object in the Virtual System object as a logserver target. Install database and see if it works now.

Kind regards,

Rick

My blog: https://checkpoint.engineer
0 Kudos
Teddy_Brewski
Contributor

Thank you.

I was trying to avoid using the NATted IP since it will be sent via the Internet and my Management and VSX/VS are in the same datacenter. So $FWDIR/conf/masters is not applicable for VSs?

 

0 Kudos
RickHoppe
Advisor

For what I know is that all logs are sent from the Mgmt address of your VSX Gateway. What is the IP of the object that is selected as logserver in your Virtual System object? Is it the original IP or the NATed IP? Each Virtual System has it's own masters file so it is able to send logs to different logservers per Virtual System.

My blog: https://checkpoint.engineer
0 Kudos
Teddy_Brewski
Contributor

The MGMT interface of my VSX gateway is in the same network as my management server and it's selected as a log server in the VS object (under "Send gateway logs and alerts").

If I ssh to the VSX gateway and run 'netstat -nap' for 'vsenv 0' I see that it uses the right IP:

tcp 0 0 10.168.200.242:64443 10.168.200.10:257 ESTABLISHED 15503/fwd

Am I supposed to see 257/tcp traffic for 'vsenv 1' too?

The only logs I see arriving from VSX (with my VSX gateways as origin) is some NTP, DNS and 257/tcp but no VS/data logs.

0 Kudos
RickHoppe
Advisor

257/tcp traffic should only come from the Mgmt address of the VSX Gateway and not from Virtual Systems. Have you seen sk118936?

My blog: https://checkpoint.engineer
0 Kudos
Teddy_Brewski
Contributor

Thank you @RickHoppe 

Unfortunately, sk118936 didn't help. I did however identify that VS uses a different logging server than VSX.

Here is an output of 'cpstat fw -f log_connection' in 'vsenv 0' context:

Overall Status: 0
Overall Status Description: Security Gateway is reporting logs as defined
Local Logging Mode Description: Logs are written to log server
Local Logging Mode Status: 0
Local Logging Sending Rate: 0
Log Handling Rate: 0

Log Servers Connections
---------------------------------------------------------
|IP |Status|Status Description |Sending Rate|
---------------------------------------------------------
|10.168.200.10| 0|Log-Server Connected| 0|
---------------------------------------------------------

However, 'cpstat fw -f log_connection' in 'vsenv 1' context shows a NATted IP:

Overall Status: 2
Overall Status Description: Security Gateway is unable to report logs to any log server
Local Logging Mode Description: Writing logs locally due to connectivity problems
Local Logging Mode Status: 2
Local Logging Sending Rate: 0
Log Handling Rate: 0

Log Servers Connections
------------------------------------------------------------
|IP |Status|Status Description |Sending Rate|
------------------------------------------------------------
|xxx.xxx.xxx.xxx| 1|Log-Server Disconnected| 0|
------------------------------------------------------------

 

I tried to follow sk102712 without any success so far. $FWDIR/conf/masters still gets modified after each policy installation (in 'vsenv 1' context).

0 Kudos

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

Upcoming Events

    CheckMates Events