This website uses Cookies. Click Accept to agree to our website's cookie use as described in our Privacy Policy. Click Preferences to customize your cookie settings.
Accept
Reject
Preferences
ABOUT CHECKMATES CYBER SECURITY COMMUNITY & FAQ
Create a Post
Help
cancel
Turn on suggestions
Showing results for 
Search instead for 
Did you mean: 

Are you a member of CheckMates?

×
Sign in with your Check Point UserCenter/PartnerMap account to access more great content and get a chance to win some Apple AirPods! If you don't have an account, create one now for free!
Teddy_Brewski
Collaborator
‎2021-01-08 02:29 AM

No logs from VSs

Hello,

Several clusters running on open servers and managed by one Management Server (all running R80.40 with the latest jumbo).

I configured additional VSX and I'm having problems receiving logs from VSs. I have no issues pushing the policy and I do get logs from VSX nodes (for example NTP or FW1_log) but nothing from VSs.

I followed sk102712 and modified $FWDIR/conf/masters in the VS context to point to the IP address of the management server but it didn't seem to help. I think it still tries to contact the NATed IP of the management.

As per /opt/CPsuite-R80.40/fw1/CTX/CTX00001/log/fwd.elg:

[FWD 29009]@FW-VSX-N01[8 Jan 11:15:48] 11:15:48: srv_disconnected: change xxx.xxx.xxx.xxx status to Status ERROR description: Log-Server Disconnected
log_connected: connect to 'xxx.xxx.xxx.xxx' failed

Where xxx is the NATed IP of the management.

Any help would be greatly appreciated.

Thank you.

0 Kudos
6 Replies
RickHoppe
Advisor
‎2021-01-08 02:58 AM

Hi Teddy,

Try adding a dummy object for your logserver with the NATted IP. Add the dummy object in the Virtual System object as a logserver target. Install database and see if it works now.

Kind regards,

Rick

My blog: https://checkpoint.engineer
0 Kudos
Teddy_Brewski
Collaborator
‎2021-01-08 05:53 AM
In response to RickHoppe

Thank you.

I was trying to avoid using the NATted IP since it will be sent via the Internet and my Management and VSX/VS are in the same datacenter. So $FWDIR/conf/masters is not applicable for VSs?

 

0 Kudos
RickHoppe
Advisor
‎2021-01-08 06:57 AM
In response to Teddy_Brewski

For what I know is that all logs are sent from the Mgmt address of your VSX Gateway. What is the IP of the object that is selected as logserver in your Virtual System object? Is it the original IP or the NATed IP? Each Virtual System has it's own masters file so it is able to send logs to different logservers per Virtual System.

My blog: https://checkpoint.engineer
0 Kudos
Teddy_Brewski
Collaborator
‎2021-01-08 07:44 AM

The MGMT interface of my VSX gateway is in the same network as my management server and it's selected as a log server in the VS object (under "Send gateway logs and alerts").

If I ssh to the VSX gateway and run 'netstat -nap' for 'vsenv 0' I see that it uses the right IP:

tcp 0 0 10.168.200.242:64443 10.168.200.10:257 ESTABLISHED 15503/fwd

Am I supposed to see 257/tcp traffic for 'vsenv 1' too?

The only logs I see arriving from VSX (with my VSX gateways as origin) is some NTP, DNS and 257/tcp but no VS/data logs.

0 Kudos
RickHoppe
Advisor
‎2021-01-08 01:52 PM
In response to Teddy_Brewski

257/tcp traffic should only come from the Mgmt address of the VSX Gateway and not from Virtual Systems. Have you seen sk118936?

My blog: https://checkpoint.engineer
0 Kudos
Teddy_Brewski
Collaborator
‎2021-01-11 05:44 AM

Thank you @RickHoppe 

Unfortunately, sk118936 didn't help. I did however identify that VS uses a different logging server than VSX.

Here is an output of 'cpstat fw -f log_connection' in 'vsenv 0' context:

Overall Status: 0
Overall Status Description: Security Gateway is reporting logs as defined
Local Logging Mode Description: Logs are written to log server
Local Logging Mode Status: 0
Local Logging Sending Rate: 0
Log Handling Rate: 0

Log Servers Connections
---------------------------------------------------------
|IP |Status|Status Description |Sending Rate|
---------------------------------------------------------
|10.168.200.10| 0|Log-Server Connected| 0|
---------------------------------------------------------

However, 'cpstat fw -f log_connection' in 'vsenv 1' context shows a NATted IP:

Overall Status: 2
Overall Status Description: Security Gateway is unable to report logs to any log server
Local Logging Mode Description: Writing logs locally due to connectivity problems
Local Logging Mode Status: 2
Local Logging Sending Rate: 0
Log Handling Rate: 0

Log Servers Connections
------------------------------------------------------------
|IP |Status|Status Description |Sending Rate|
------------------------------------------------------------
|xxx.xxx.xxx.xxx| 1|Log-Server Disconnected| 0|
------------------------------------------------------------

 

I tried to follow sk102712 without any success so far. $FWDIR/conf/masters still gets modified after each policy installation (in 'vsenv 1' context).

0 Kudos

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

View All ≫
Upcoming Events

    CheckMates Events
    Top