Create a Post
cancel
Showing results for 
Search instead for 
Did you mean: 
--JayJay--
Participant

Logs not arriving at Smart-manager from Secure Gateway

Got one Checkpint gateway not sending logs to server/manager.

Gateway running R80.10.

Some checks from this list:

Troubleshooting Check Point logging issues when Security Management Server / Log Server is not recei... 

results:

2. not running out of disk psace, other gateways successfully send logs

3. Log setting correct, same as for gateways that do send logs

4. SIC working

6. 

-sh-3.1# netstat -anp | grep ":257"
tcp 0 0 0.0.0.0:257 0.0.0.0:* LISTEN 9971/fwd

8. No logs coming from particular gw to server/manager while checking with tcpdump on port 257

Checking on gateway with tcpdump , tcp port 257 is used, looking like this:

22:55:20.502921 IP 212.123.209.155.64684 > 10.44.5.250.set: S 2036222826:2036222826(0) win 5840 <mss 1460,sackOK,timestamp 39556535 0,nop,wscale 10>
22:55:35.505245 IP GatewayA.45059 > manager/server.set: S 671424545:671424545(0) win 5840 <mss 1460,sackOK,timestamp 39571537 0,nop,wscale 10>
22:55:50.508439 IP GatewayA.46031 > manager/server.set: S 2285159981:2285159981(0) win 5840 <mss 1460,sackOK,timestamp 39586541 0,nop,wscale 10>
22:56:05.510607 IP GatewayA.52013 > manager/server.set: S 2007497722:2007497722(0) win 5840 <mss 1460,sackOK,timestamp 39601543 0,nop,wscale 10>
22:56:20.513890 IP GatewayA.65038 > manager/server.set: S 2658388405:2658388405(0) win 5840 <mss 1460,sackOK,timestamp 39616546 0,nop,wscale 10>
22:56:35.516815 IP GatewayA.39510 > manager/server.set: S 35097244:35097244(0) win 5840 <mss 1460,sackOK,timestamp 39631549 0,nop,wscale 10>
22:56:50.519180 IP GatewayA.55705 > manager/server.set: S 838505804:838505804(0) win 5840 <mss 1460,sackOK,timestamp 39646551 0,nop,wscale 10>
22:57:05.521406 IP GatewayA.41441 > manager/server.set: S 3340929611:3340929611(0) win 5840 <mss 1460,sackOK,timestamp 39661554 0,nop,wscale 10>

10. Firewall on gw is indeed growing locally

checked with 

# watch -d -n 2 "ls -l $FWDIR/log/fw.log"

11. 

# cat $FWDIR/conf/masters

showing name of manager/server

9 Replies
Kaspars_Zibarts
Employee Employee
Employee

Point #8 above - we can only see TCP SYN sent from GW to MGMT on port 257 but there is no response. So it does not look like traffic is reaching MGMT server. Looks like you have another firewall in the path btw (gateway has public IP and mgmt private) so check that one too. Also you may run tcpdump on Mgmt server to see if traffic actually arrives from this GW.

You probably want to exclude actual IPs from here.. it's a public space Smiley Happy

0 Kudos
--JayJay--
Participant

I added Management server host to the Gateway to enable it to resolve the name to a Public IP.

Below is the receipt of traffic on port 257 , tcpdumped on the management server for the gateway IP.

However, when looking for the logs in the manager in the Smart dashboard (logs & monitor) , it is still empty for the gateway.

-sh-3.1# tcpdump -n -i any host <Public IP Gateway> and tcp port 257
tcpdump: WARNING: Promiscuous mode not supported on the "any" device
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on any, link-type LINUX_SLL (Linux cooked), capture size 96 bytes
08:33:38.691310 IP <Public IP Gateway>.54526 > 10.44.5.250.set: S 859164784:859164784(0) win 5840 <mss 1460,sackOK,timestamp 78244671 0,nop,wscale 10>
08:33:39.116553 IP <Private IP Manager>.set > <Public IP Gateway>.54526: S 1179360162:1179360162(0) ack 859164785 win 5792<mss 1460,sackOK,timestamp 644653394 78244671,nop,wscale 10>
08:33:38.709728 IP <Public IP Gateway>.54526 > <Private IP Manager>.set: . ack 1 win 6 <nop,nop,timestamp 78244690 644653394>
08:34:38.710260 IP <Private IP Manager>.set > <Public IP Gateway>.54526: F 1:1(0) ack 1 win 6 <nop,nop,timestamp 644713414 78244690>
08:34:38.728833 IP <Public IP Gateway>.54526 > <Private IP Manager>.set: F 1:1(0) ack 2 win 6 <nop,nop,timestamp 78304714 644713414>
08:34:38.728854 IP <Private IP Manager>.set > <Public IP Gateway>.54526: . ack 2 win 6 <nop,nop,timestamp 644713432 78304714>

0 Kudos
Kaspars_Zibarts
Employee Employee
Employee

You probably will have to check one of these as next step

Troubleshooting "SmartCenter behind NAT" issues 

Looking at the tcpdump - it stops TCP connection almost instantly so looks like Mgmt does not "recongise" that GW

0 Kudos
--JayJay--
Participant

Unfortunately no access to that Troubleshooting article with my account, yet ....

0 Kudos
Kaspars_Zibarts
Employee Employee
Employee

Dameon Welch Abernathy‌ - (need to run by CP) can this article be given to the user as it seems appropriate for his case?

0 Kudos
PhoneBoy
Admin
Admin

Unfortunately, we can't grant access to SKs.

I sometimes ask the SK team to adjust an article to a different permission level.

0 Kudos
Vladimir
Champion
Champion

Do you have a "Log Implied Rules" enabled in the Global Properties, or have you defined a specific rule to log this traffic?

When you are saying that "I added Management server host to the Gateway to enable it to resolve the name to a Public IP.", are you hiding behind gateway's IP or have you assigned a separate public IP with Static NAT?

0 Kudos
--JayJay--
Participant

Log implied rules is not ticked, but I have created some rules specific to the gw with the logging option enabled.

What I meant is that I added the Management server public IP to the WEb UI of the gateway, in order for the gw to resolve the name to the correct -public - IP.

Management server is behind NAT.

0 Kudos
PhoneBoy
Admin
Admin

Try doing the following:

  1. Add a dummy object that will represent the internal IP address of the SmartCenter.
  2. In the right pane, right-click on 'CheckPoint > New CheckPoint > Host'. Choose a name for the object and enter the internal IP address of the SmartCenter. In 'CheckPoint Products' select only the 'Log Server' box. Click "OK".
  3. Add a rule with the following parameters: Source: Remote Gateway, Destination: Dummy Object, Service: FW1_log, Action: Accept, Track: Log
  4. Push policy to the remote Gateway and to the Gateway that is between the remote Gateway and the SmartCenter.
  5. On the remote Gateway, run the 'netstat nap' command and make sure it is listening to the internal IP address of the SmartCenter server on port 257.
0 Kudos

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

Upcoming Events

    CheckMates Events