This website uses Cookies. Click Accept to agree to our website's cookie use as described in our Privacy Policy. Click Preferences to customize your cookie settings.
Accept
Reject
Preferences
ABOUT CHECKMATES CYBER SECURITY COMMUNITY & FAQ
Create a Post
Help
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

Are you a member of CheckMates?

×
Sign in with your Check Point UserCenter/PartnerMap account to access more great content and get a chance to win some Apple AirPods! If you don't have an account, create one now for free!
Marcus_Halmsjo
Contributor
‎2021-10-19 01:08 AM
Jump to solution

Logs from 1530 to log server

Hi,

We have started to use 1530 gates to connect our external sites and i am having problems getting the logs to log server and i can't seem to find the correct SK so i'll try asking here.

 

We have 5200 gates as hub and 1530 as spokes, SIC is established between 1530 and logs/managament and working.

Under "External Log Servers" on 1530 it says "The appliance is managed by Check Point SmartConsole. Security Log Servers are configured in SmartConsole.".

Under Logs->Log Servers on the gateway object for 1530 in management has the logserver specified.

 

I can't see anything in logs that indicate what can be why logs are not sent to log server, the 1530 logs fine locally.

 

grateful for any pointers.

0 Kudos
1 Solution

Accepted Solutions
G_W_Albrecht
Legend Legend
Legend
‎2021-10-19 06:49 AM
In response to Marcus_Halmsjo
Jump to solution

Tried R80.20.35 yet ? Both cited SKs are for R77.20.xx SMBs, so they are also valid for 1530... Only that $FWDIR/conf/masters is not used anymore in R80.20.xx Another tipp is sk66381 !

CCSP - CCSE / CCTE / CTPS / CCME / CCSM Elite / SMB Specialist

View solution in original post

13 Replies
G_W_Albrecht
Legend Legend
Legend
‎2021-10-19 01:38 AM
Jump to solution

sk38848: Practical troubleshooting steps for logging issues

CCSP - CCSE / CCTE / CTPS / CCME / CCSM Elite / SMB Specialist
Peter_Lyndley
Advisor
Advisor
‎2021-10-19 01:51 AM
Jump to solution

a simple first step - try install database on your management server.

Marcus_Halmsjo
Contributor
‎2021-10-19 02:12 AM
Jump to solution

tried installing database and restarts on both sides and no change found that connection on port 257 is stuck on SYN_SENT on the gateway will go from there. 

0 Kudos
Ido_Shoshana
Employee
Employee
‎2021-10-19 02:44 AM
Jump to solution

Hi,

I don't see anything special here that might go wrong.

It should simply work.

Maybe the install database wasn’t done? Can you install DB and let us know?

0 Kudos
Marcus_Halmsjo
Contributor
‎2021-10-19 02:59 AM
In response to Ido_Shoshana
Jump to solution

tried installing DB no change

netstat -anp | grep -i -E "State|257" on the gate shows it is trying to connect to port 257 but what confuses me a bit is that it uses WAN adress as local for the gate and local adress as foreign to log server.

Everywhere i look on the 1530 gate it uses the WAN IP to the management but for the logs for some reason it uses the local IP.

0 Kudos
G_W_Albrecht
Legend Legend
Legend
‎2021-10-19 04:56 AM
In response to Marcus_Halmsjo
Jump to solution

Looks like a NAT issue - was SIC established with NATed SMS IP ? See sk103215 and sk108707 for such issues.

CCSP - CCSE / CCTE / CTPS / CCME / CCSM Elite / SMB Specialist
0 Kudos
Marcus_Halmsjo
Contributor
‎2021-10-19 05:53 AM
In response to G_W_Albrecht
Jump to solution

does not look like these SK applies to 1530 you can't change any IP manually in security management.

Looks like something is up with firmware R80.20.30 (992002285) as soon as i upgrade to that the gate uses local IP for log connection.

0 Kudos
Marcus_Halmsjo
Contributor
‎2021-10-19 06:06 AM
In response to Marcus_Halmsjo
Jump to solution

Or not, it is the reboot, on SIC initialization it uses external IP for logs but after reboot it uses local IP and fails. 

0 Kudos
G_W_Albrecht
Legend Legend
Legend
‎2021-10-19 06:49 AM
In response to Marcus_Halmsjo
Jump to solution

Tried R80.20.35 yet ? Both cited SKs are for R77.20.xx SMBs, so they are also valid for 1530... Only that $FWDIR/conf/masters is not used anymore in R80.20.xx Another tipp is sk66381 !

CCSP - CCSE / CCTE / CTPS / CCME / CCSM Elite / SMB Specialist
Marcus_Halmsjo
Contributor
‎2021-10-19 07:16 AM
In response to G_W_Albrecht
Jump to solution

sk66381 showed something that i did not noticed that i should have seen earlier, when initializing SIC i left it on send logs according to policy. Re-initialized SIC now with send logs to same IP and now it does not change to local IP after reboot.

The SK for R77 pointed to how to change this after the fact but need to do that on initialization that confused me.

Thanks for all the pointers!

0 Kudos
Marcus_Halmsjo
Contributor
‎2021-10-19 04:39 AM
In response to Ido_Shoshana
Jump to solution

found that log connection worked up until i upgraded the firmware on the 1530 gate last week, did factory default and after new SIC and policy push the log connection works again and this time netstat -anp | grep -i -E "State|257" shows that it connects to the log server via the external IP and not the local IP.

0 Kudos
tspunkt
Contributor
‎2021-10-26 02:19 AM
Jump to solution

hi. we had the same issue with a centrally managed 1500 and 1400 series gateway.

We fixed it by following steps:

  • connect to gateway via web ui
  • open Home > Security Management
  • on "Security Management Server" click "test connection"
  • After test click on the IP Address
  • in new window tick the checkbox "Alaways use the following IP address to connect to your Security Managament Server"
  • in Address there should be your management IP
  • then select "Send logs to" and also enter the management IP
  • click apply, maybe reboot.
Marcus_Halmsjo
Contributor
‎2021-10-26 04:33 AM
In response to tspunkt
Jump to solution

Nice info that option to change log IP was quite hidden good to know, we re-initialized SIC to change this in the wizard.

0 Kudos

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

View All ≫
Upcoming Events

    Sort by:
    CheckMates Events