This website uses cookies. By clicking OK, you consent to the use of cookies. Click Here to learn more about how we use cookies.
OK
ABOUT CHECKMATES & FAQ
Create a Post
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Help
ED
Advisor
‎2020-02-07 02:01 AM

SG cluster not sending logs to SMS

Jump to solution

Hi,

R80.30 environment. SG cluster is not sending logs to SMS. 

 

Steps that I have done in troubleshooting:

 

  1. Installed database in SmartConsole.
  2. Installed policy several times.
  3. Changed the SG to log locally, installed policy and then reverted to sending logs again to SMS in SmartConsole.
  4. Rebooted the cluster that don’t send logs to the SMS
  5. Disk space is checked on SMS and is fine.
  6. Checked that security gateway is configured to send logs to SMS in SmartConsole.
  7. SIC communication is fine and communicating.
  8. Ping from SMS to SG works fine. The other way too.
  9. Checked that the SMS is listening on port 257. No connection from the cluster SG seen there.
  10. Checked if any logs are coming from the SG to the SMS on port 257 with tcpdump on the interface. No logs there.
  11. The active firewall log file fw.log is growing on the SG. Checked with the command watch -d -n 2 "ls -l $FWDIR/log/fw.log"
  12. Checked the masters file on the SG and it is set to log to the SMS

So are there anymore suggestions in troubleshooting this issue? Could it be that the last step (that I didn't do), the active firewall log file fw.log might be corrupted on the SG? 

 

 

Reply
1 Solution

Accepted Solutions
HeikoAnkenbrand
Champion
Champion
‎2020-02-09 03:49 AM

Jump to solution

Hi @ED 

1) Check the $FWDIR/conf/masters file on the gateway and resolve the IP of the object under log.

2) Start "tcpdump -i ethX port 257" on the gateway and check the traffic to the log server

3) On the Management Server run the following cli command "netstat -an | grep 257" and check that the port 257 is open.

4) Check the firewall ruels "sourece gateway to mangement server port 257"

5) Check NAT rules (no Nat between gateway and management).

6) Check the following on the gateway "cpstat fw -f log_connection" 

7) Start "fw ctl zdebug drop | grep 257"on the gateway

8.) Start "tcpdump -i ethX port 257" on the managemet  and check the traffic to the log server

9) If you see traffic on the management server and no log entrys -> restart the management server "cpstart/cpstop"

10) Set in the GAIA GUI the "management Interface" on the correct interface.

11) Check the disk space on the management server under "var/log/"

12) Check the process fwd with "top" or "ps -aux |grep fwd"

13) Check the fwd process with "cpwd_admin list"

14) Install the latest JHF.

If none of this helps, open a ticket at Check Point.

 

View solution in original post

Reply
6 Replies
PhoneBoy
Admin
Admin
‎2020-02-07 03:30 AM

Jump to solution
See if you can open a TCP connection from the gateway to the management on port 257 using e.g. telnet.
Otherwise suggest a TAC case.
0 Kudos
Reply
ED
Advisor
‎2020-02-07 03:56 AM
In response to PhoneBoy

Jump to solution

@PhoneBoy I tried telnet on port 257 from SG to the SMS and it was successful. Could also see that on the SMS with the netstat command. 

I also tried the laste step that I wrote above, fixing the potentially corrupted fw.log file on SG but it didn't help. 

0 Kudos
Reply
Kaspars_Zibarts
Authority
Authority
‎2020-02-07 07:26 AM
In response to ED

Jump to solution

I would check FWD logs / debug it, more info here how to do it

https://supportcenter.checkpoint.com/supportcenter/portal?eventSubmit_doGoviewsolutiondetails=&solut...

 

Reply
Dror_Aharony
Employee++
Employee++
‎2020-02-08 11:42 PM
In response to Kaspars_Zibarts

Jump to solution

Check the log connection state & IP of your Mgmt/LS, that your GW is trying to send logs to by running on the GW (attach here):

cpstat fw -f log_connection

 

Do you have any NATs on your env?

0 Kudos
Reply
HeikoAnkenbrand
Champion
Champion
‎2020-02-09 03:49 AM

Jump to solution

Hi @ED 

1) Check the $FWDIR/conf/masters file on the gateway and resolve the IP of the object under log.

2) Start "tcpdump -i ethX port 257" on the gateway and check the traffic to the log server

3) On the Management Server run the following cli command "netstat -an | grep 257" and check that the port 257 is open.

4) Check the firewall ruels "sourece gateway to mangement server port 257"

5) Check NAT rules (no Nat between gateway and management).

6) Check the following on the gateway "cpstat fw -f log_connection" 

7) Start "fw ctl zdebug drop | grep 257"on the gateway

8.) Start "tcpdump -i ethX port 257" on the managemet  and check the traffic to the log server

9) If you see traffic on the management server and no log entrys -> restart the management server "cpstart/cpstop"

10) Set in the GAIA GUI the "management Interface" on the correct interface.

11) Check the disk space on the management server under "var/log/"

12) Check the process fwd with "top" or "ps -aux |grep fwd"

13) Check the fwd process with "cpwd_admin list"

14) Install the latest JHF.

If none of this helps, open a ticket at Check Point.

 

View solution in original post

Reply
Dror_Aharony
Employee++
Employee++
‎2020-02-12 01:32 AM
In response to HeikoAnkenbrand

Jump to solution

Hi Ed,

just curious, what was your issue & what exactly in Heiko's suggested steps solved it?

 

0 Kudos
Reply