This website uses Cookies. Click Accept to agree to our website's cookie use as described in our Privacy Policy. Click Preferences to customize your cookie settings.
Accept
Reject
Preferences
ABOUT CHECKMATES CYBER SECURITY COMMUNITY & FAQ
Create a Post
Help
cancel
Turn on suggestions
Showing results for 
Search instead for 
Did you mean: 

Are you a member of CheckMates?

×
Sign in with your Check Point UserCenter/PartnerMap account to access more great content and get a chance to win some Apple AirPods! If you don't have an account, create one now for free!
J_Saun
Contributor
‎2019-03-14 05:47 AM
Jump to solution

Notification when firewall stops logging to management station (R65+)

We have a mix of R65 and R77 firewalls that are supposed to log to the management station. We continuously have issues where the firewall stops logging to the mgmt station (and starts logging to itself). Our only fix is to modify the fw object in dashboard, swap out the log server with a dummy, save/push, and the repeat these steps but putting the original log server (the mgmt station) back as the fw objects log server.

 

I haven't been able to find a permanent fix for this issue so I am looking to get a notification when this happens via email or some other mechanism. Is this possible?

 

Thanks

0 Kudos
1 Solution

Accepted Solutions
Timothy_Hall
Legend Legend
Legend
‎2019-03-15 09:38 AM
Jump to solution

On your management server run cpstat -f log_server mg which will show all connected gateways, when the logging connections were first established and the receive rate.  Shouldn't be too hard to script something that runs this command every so often and alerts you if a gateway is not shown.

In regards to those older gateways no longer sending logs, the easiest way to rectify is killing the fwd daemon on the problematic gateway and letting it respawn.  Assuming there are not problems with the log reception mechanism on the SMS I've found this will fix most logging problems, especially on pre-R77 gateways.

Attend my online "Be your Own TAC: Part Deux" CheckMates event
March 27th with sessions for both the EMEA and Americas time zones

View solution in original post

0 Kudos
4 Replies
PhoneBoy
Admin
Admin
‎2019-03-15 09:23 AM
Jump to solution

Have you engaged with the TAC on any of these issues? Of course R65 is End of Support so no fixes coming there, same with anything prior to R77.30…
0 Kudos
Timothy_Hall
Legend Legend
Legend
‎2019-03-15 09:38 AM
Jump to solution

On your management server run cpstat -f log_server mg which will show all connected gateways, when the logging connections were first established and the receive rate.  Shouldn't be too hard to script something that runs this command every so often and alerts you if a gateway is not shown.

In regards to those older gateways no longer sending logs, the easiest way to rectify is killing the fwd daemon on the problematic gateway and letting it respawn.  Assuming there are not problems with the log reception mechanism on the SMS I've found this will fix most logging problems, especially on pre-R77 gateways.

Attend my online "Be your Own TAC: Part Deux" CheckMates event
March 27th with sessions for both the EMEA and Americas time zones
0 Kudos
J_Saun
Contributor
‎2019-03-17 05:43 AM
In response to Timothy_Hall
Jump to solution

Thanks Timothy.

When I run that command I receive the following message:

Invalid flavour 'log_server' for product 'mg'. Use 'cpstat' without any arguments to see supported products and flavours.

0 Kudos
Timothy_Hall
Legend Legend
Legend
‎2019-03-17 08:34 AM
In response to J_Saun
Jump to solution

Looks like that option to cpstat was added in R80+ and doesn't exist prior to that.

 

On older SMS's just do this:

 

netstat -an | grep ESTABLISHED | grep ":257"

 

Attend my online "Be your Own TAC: Part Deux" CheckMates event
March 27th with sessions for both the EMEA and Americas time zones
0 Kudos

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

View All ≫
Upcoming Events

    Sort by:
    CheckMates Events
    li.common.scroll-to.top