This website uses Cookies. Click Accept to agree to our website's cookie use as described in our Privacy Policy. Click Preferences to customize your cookie settings.
Accept
Reject
Preferences
ABOUT CHECKMATES CYBER SECURITY COMMUNITY & FAQ
Create a Post
Help
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

Are you a member of CheckMates?

×
Sign in with your Check Point UserCenter/PartnerMap account to access more great content and get a chance to win some Apple AirPods! If you don't have an account, create one now for free!
ED
Advisor
‎2020-02-07 02:01 AM
Jump to solution

SG cluster not sending logs to SMS

Hi,

R80.30 environment. SG cluster is not sending logs to SMS. 

 

Steps that I have done in troubleshooting:

 

  1. Installed database in SmartConsole.
  2. Installed policy several times.
  3. Changed the SG to log locally, installed policy and then reverted to sending logs again to SMS in SmartConsole.
  4. Rebooted the cluster that don’t send logs to the SMS
  5. Disk space is checked on SMS and is fine.
  6. Checked that security gateway is configured to send logs to SMS in SmartConsole.
  7. SIC communication is fine and communicating.
  8. Ping from SMS to SG works fine. The other way too.
  9. Checked that the SMS is listening on port 257. No connection from the cluster SG seen there.
  10. Checked if any logs are coming from the SG to the SMS on port 257 with tcpdump on the interface. No logs there.
  11. The active firewall log file fw.log is growing on the SG. Checked with the command watch -d -n 2 "ls -l $FWDIR/log/fw.log"
  12. Checked the masters file on the SG and it is set to log to the SMS

So are there anymore suggestions in troubleshooting this issue? Could it be that the last step (that I didn't do), the active firewall log file fw.log might be corrupted on the SG? 

 

 

1 Solution

Accepted Solutions
HeikoAnkenbrand
Champion Champion
Champion
‎2020-02-09 03:49 AM
Jump to solution

Hi @ED 

1) Check the $FWDIR/conf/masters file on the gateway and resolve the IP of the object under log.

2) Start "tcpdump -i ethX port 257" on the gateway and check the traffic to the log server

3) On the Management Server run the following cli command "netstat -an | grep 257" and check that the port 257 is open.

4) Check the firewall ruels "sourece gateway to mangement server port 257"

5) Check NAT rules (no Nat between gateway and management).

6) Check the following on the gateway "cpstat fw -f log_connection" 

7) Start "fw ctl zdebug drop | grep 257"on the gateway

8.) Start "tcpdump -i ethX port 257" on the managemet  and check the traffic to the log server

9) If you see traffic on the management server and no log entrys -> restart the management server "cpstart/cpstop"

10) Set in the GAIA GUI the "management Interface" on the correct interface.

11) Check the disk space on the management server under "var/log/"

12) Check the process fwd with "top" or "ps -aux |grep fwd"

13) Check the fwd process with "cpwd_admin list"

14) Install the latest JHF.

If none of this helps, open a ticket at Check Point.

 

➜ CCSM Elite, CCME, CCTE ➜ www.checkpoint.tips

View solution in original post

6 Replies
PhoneBoy
Admin
Admin
‎2020-02-07 03:30 AM
Jump to solution

See if you can open a TCP connection from the gateway to the management on port 257 using e.g. telnet.
Otherwise suggest a TAC case.
0 Kudos
ED
Advisor
‎2020-02-07 03:56 AM
In response to PhoneBoy
Jump to solution

@PhoneBoy I tried telnet on port 257 from SG to the SMS and it was successful. Could also see that on the SMS with the netstat command. 

I also tried the laste step that I wrote above, fixing the potentially corrupted fw.log file on SG but it didn't help. 

0 Kudos
Kaspars_Zibarts
Employee Employee
Employee
‎2020-02-07 07:26 AM
In response to ED
Jump to solution

I would check FWD logs / debug it, more info here how to do it

https://supportcenter.checkpoint.com/supportcenter/portal?eventSubmit_doGoviewsolutiondetails=&solut...

 

Dror_Aharony
Employee Alumnus
Employee Alumnus
‎2020-02-08 11:42 PM
In response to Kaspars_Zibarts
Jump to solution

Check the log connection state & IP of your Mgmt/LS, that your GW is trying to send logs to by running on the GW (attach here):

cpstat fw -f log_connection

 

Do you have any NATs on your env?

0 Kudos
HeikoAnkenbrand
Champion Champion
Champion
‎2020-02-09 03:49 AM
Jump to solution

Hi @ED 

1) Check the $FWDIR/conf/masters file on the gateway and resolve the IP of the object under log.

2) Start "tcpdump -i ethX port 257" on the gateway and check the traffic to the log server

3) On the Management Server run the following cli command "netstat -an | grep 257" and check that the port 257 is open.

4) Check the firewall ruels "sourece gateway to mangement server port 257"

5) Check NAT rules (no Nat between gateway and management).

6) Check the following on the gateway "cpstat fw -f log_connection" 

7) Start "fw ctl zdebug drop | grep 257"on the gateway

8.) Start "tcpdump -i ethX port 257" on the managemet  and check the traffic to the log server

9) If you see traffic on the management server and no log entrys -> restart the management server "cpstart/cpstop"

10) Set in the GAIA GUI the "management Interface" on the correct interface.

11) Check the disk space on the management server under "var/log/"

12) Check the process fwd with "top" or "ps -aux |grep fwd"

13) Check the fwd process with "cpwd_admin list"

14) Install the latest JHF.

If none of this helps, open a ticket at Check Point.

 

➜ CCSM Elite, CCME, CCTE ➜ www.checkpoint.tips
Dror_Aharony
Employee Alumnus
Employee Alumnus
‎2020-02-12 01:32 AM
In response to HeikoAnkenbrand
Jump to solution

Hi Ed,

just curious, what was your issue & what exactly in Heiko's suggested steps solved it?

 

0 Kudos

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

View All ≫
Upcoming Events

    Sort by:
    CheckMates Events