This website uses Cookies. Click Accept to agree to our website's cookie use as described in our Privacy Policy. Click Preferences to customize your cookie settings.
Accept
Reject
Preferences
ABOUT CHECKMATES CYBER SECURITY COMMUNITY & FAQ
Create a Post
Help
cancel
Turn on suggestions
Showing results for 
Search instead for 
Did you mean: 

Are you a member of CheckMates?

×
Sign in with your Check Point UserCenter/PartnerMap account to access more great content and get a chance to win some Apple AirPods! If you don't have an account, create one now for free!
Matlu
Advisor
Monday

Checking Logs from the CP CLI

Hello, Guys.

Is it possible to see the traffic logs through the CLI of a FW, and not from the SmartConsole?

I want to see the traffic of a flow, for the last 7 days, at the moment of executing the command (if possible).

SOURCE IP: 192.168.59.180
IP DESTINATION: 10.100.100.5
Service: 88
Days: Last Week

If it is possible to print the log in the CLI, could you please share the syntax with an example?

I don't have access now to the SmartConsole, so I want to try to see if there are relevant logs, standing on the same FW.

Greetings.

0 Kudos
6 Replies
emmap
Employee
Employee
Monday

The logs aren't stored on the gateways*, they get generated and sent to the log servers. There is an API available for pulling logs from the log server that you can use from its CLI.

https://sc1.checkpoint.com/documents/R81.20/WebAdminGuides/EN/CP_R81.20_LoggingAndMonitoring_AdminGu...

*Unless the log server is offline.

0 Kudos
HeikoAnkenbrand
Champion Champion
Champion
yesterday

Hi @Matlu,

you can use the following command:

fw log -l -b "June 12, 2024 12:33:00" "June 12, 2024 15:34:00" | grep <IP or other parameter>

or the management API (Management API Reference) - here is an example:

mgmt_cli show logs new-query.time-frame "today" new-query.max-logs-per-request "2" new-query.filter "blade:Threat Emulation"  --format json

In both cases, you still need to adjust your filters.

➜ CCSM Elite, CCME, CCTE ➜ www.checkpoint.tips
0 Kudos
Matlu
Advisor
yesterday
In response to HeikoAnkenbrand

Hi,

The command #fw log....... command, can it be executed in the same GW?
Or is it only executed in the SMS?

How can you be sure if the GW is really generating logs?

Greetings.

0 Kudos
Lloyd_Braun
Collaborator
yesterday
In response to Matlu

cpstat fw -f log_connection will show if you're connected to the log server and how many logs you're sending.

 

you used to be able to run 'fw log -flnt' on the gateway to dump fw.log file to stdout and "tail" it for new logs. not sure if this still works, or may only work if you are disconnected from the log server so the firewall is logging locally.

0 Kudos
PhoneBoy
Admin
Admin
yesterday
In response to Matlu

fw log is executed where the logs are stored (not the gateway unless the connection to management/log server is down).
The cpstat command @Lloyd_Braun should tell you what you want.

0 Kudos
the_rock
Legend
Legend
yesterday

@HeikoAnkenbrand gave the best option, in my opinion.

Otherwise, you can check /var/log/messages files or $FWDIT/log/fw.log file

Andy

0 Kudos

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

View All ≫
Upcoming Events

    Sort by:
    CheckMates Events
    li.common.scroll-to.top