This website uses Cookies. Click Accept to agree to our website's cookie use as described in our Privacy Policy. Click Preferences to customize your cookie settings.
Accept
Reject
Preferences
ABOUT CHECKMATES CYBER SECURITY COMMUNITY & FAQ
Create a Post
Help
cancel
Turn on suggestions
Showing results for 
Search instead for 
Did you mean: 

Are you a member of CheckMates?

×
Sign in with your Check Point UserCenter/PartnerMap account to access more great content and get a chance to win some Apple AirPods! If you don't have an account, create one now for free!
frenzetti
Explorer
‎2025-02-28 03:52 AM

81.20 Logging issue after cluster switch

Hi mates,

after updating the secure gateway version from 81.20 to 81.20 take 92 we are facing a strange problem on securegateway node
One of the two cluster nodes sends logs to management only if it is in STANDBY state.
If it is "promoted" to ACTIVE it stops sending logs to management

This is the output of the cpstat fw -f log_connection command when the node is STANDBY
Overall Status: 0
Overall Status Description: Security Gateway is reporting logs as defined
Local Logging Mode Description: Logs are written to log server
Local Logging Mode Status: 0
Local Logging Sending Rate: 0
Log Handling Rate: 0

This is the output of the same command when the node becomes ACTIVE
Overall Status: 0
Overall Status Description: Security Gateway is reporting logs as defined
Local Logging Mode Description: Error - not writing logs
Local Logging Mode Status: 5
Local Logging Sending Rate: 0
Log Handling Rate: 0

the reason is: Log-Server Disconnected

Anyone else has experienced the same issue?

0 Kudos
6 Replies
AkosBakos
Mentor Mentor
Mentor
‎2025-02-28 04:54 AM

Hi @frenzetti 

Can you access the Active and Standby gateways on port tcp257 from the MGMT server on the node IPs?

#telnet <ip> 257

image.png

And reverse? From both gateways to the SMartCenter (or Log)

Akos

----------------
\m/_(>_<)_\m/
frenzetti
Explorer
‎2025-02-28 06:59 AM
In response to AkosBakos

Thx AkosBakos for your reply.

We are able to reach both nodes from management and viceversa.

Logging is ok until we switch the cluster and node2 becomes active.

As soon the second node becomes active the issue arises

0 Kudos
the_rock
Legend
Legend
‎2025-02-28 05:08 AM

One easy fix (if it works) would be to try run fw logswitch on the gateways. Otherwise, just check what @AkosBakos suggested, and also, you can go through below sk.

Andy

https://support.checkpoint.com/results/sk/sk40090

0 Kudos
frenzetti
Explorer
‎2025-02-28 07:00 AM
In response to the_rock

Thx to you too, The Rock.

I will schedule a test (and other checks) next week. W.E. is a freeze-activities slot for customer

Thx again

0 Kudos
the_rock
Legend
Legend
‎2025-02-28 07:10 AM
In response to frenzetti

No worries. Btw, for what its worth, there is an old "trick" people would do in the old days to get logging working. It would not always be successful, but I find at least 80% of the time.

Basically, what you do is create CP host, NOT regular host, but host that looks like mgmt object and you enable ONLY logging and then save it, give same IP as mgmt and then, you go to logging settings of your gw object, set logging to log to that new object and push policy.

If that works, you give it a bit of time and then switch back to log to regular mgmt, if it works, awesome, then you can delete the new host object.

I attached 3 screenshots for the reference.

Andy

Screenshot_1.png
Preview file
40 KB
Screenshot_2.png
Preview file
36 KB
Screenshot_3.png
Preview file
40 KB
0 Kudos
frenzetti
Explorer
a month ago

Just an update on topic
CP support discovered full log buffer error log and suggested applying SK52100.

0 Kudos

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

View All ≫
Upcoming Events

    Sort by:
    CheckMates Events
    Top