This website uses Cookies. Click Accept to agree to our website's cookie use as described in our Privacy Policy. Click Preferences to customize your cookie settings.
Accept
Reject
Preferences
ABOUT CHECKMATES CYBER SECURITY COMMUNITY & FAQ
Create a Post
Help
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

Are you a member of CheckMates?

×
Sign in with your Check Point UserCenter/PartnerMap account to access more great content and get a chance to win some Apple AirPods! If you don't have an account, create one now for free!
JSingh_N
Contributor
‎2023-08-07 04:52 AM

Virtual System (in VSX) Logging

Hi,

I have doubt in virtual system logging mechanism.

We have configured 2 dedicated log servers as primary log servers and 1 as backup log server in VS.

1.) When I run command "cpstat fw -f log_connection" I see primary log servers as connected but secondary / backup log server as disconnected.

2,) When I run command "tcpdump -nni any tcp port 257" in particular VS context, I am not able to see any traffic, also netstat -an | grep 257 does not show any connection.

3.) However, when I run "tcpdump -nni any tcp port 257" in VS0, then I am able to see the traffic for log servers and also able to see the connection established for 'netstat -an | grep 257'

 

In few of the VS, I see output  of "cpstat fw -f log_connection" as disconnected for all three log servers but able to see logs in SmartConsole logs.

Please share your inputs regarding this behavior of VS logging. 

 

Regards,

Jaspal Singh

 

 

 

 

 

 

 

0 Kudos
5 Replies
G_W_Albrecht
Legend Legend
Legend
‎2023-08-07 05:59 AM

Primary Log servers all receive the logs, but secondary is used when one or all primary log servers are unreachable.

CCSP - CCSE / CCTE / CTPS / CCME / CCSM Elite / SMB Specialist
JSingh_N
Contributor
‎2023-08-07 07:04 AM
In response to G_W_Albrecht

Ok, thanks for the revert. I got your point.

Could you please share your inputs for point 2 and 3 as well?

I think there is some mechanism in case of VSX env. that I am not aware of. May be some sort of mapping with VS0 or similar to this, I am not sure for now.

 

 

 

 

0 Kudos
_Val_
Admin
Admin
‎2023-08-07 07:06 AM
In response to JSingh_N

Logging for all VSs is done from VS0 context, this should cover 2 & 3

Bob_Zimmerman
Authority
Authority
‎2023-08-07 09:54 AM
In response to _Val_

Expanding on this, almost all outgoing traffic is sent from VS0. Traffic logs. Syslog data. DNS requests. NTP. RADIUS or TACACS for authentication.

VPN negotiations are the only thing I can think of offhand which originates from the firewall, but which leaves using the routing table of a VS other than 0.

JSingh_N
Contributor
‎2023-08-07 08:37 PM
In response to Bob_Zimmerman

when I check in particular VS ,  "cpstat fw -f log_connection" showing primary log servers as disconnected but in VS0 same command output is 'connected.'

0 Kudos

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

View All ≫
Upcoming Events

    Sort by:
    CheckMates Events