This website uses Cookies. Click Accept to agree to our website's cookie use as described in our Privacy Policy. Click Preferences to customize your cookie settings.
Accept
Reject
Preferences
ABOUT CHECKMATES CYBER SECURITY COMMUNITY & FAQ
Create a Post
Help
cancel
Turn on suggestions
Showing results for 
Search instead for 
Did you mean: 

Are you a member of CheckMates?

×
Sign in with your Check Point UserCenter/PartnerMap account to access more great content and get a chance to win some Apple AirPods! If you don't have an account, create one now for free!
Kai_Magnussen
Participant
‎2020-03-29 11:51 PM

Cannot open packet capture files in ips log

hi,

There is a newly installed vs on a vsx cluster, that we cannot open or download the packet capture file from the log entry. Forensics is enabled in tracking, the files are generated, but when clicking on the cap file link in the log entry in smartconsole, we only get

"failed at getting the incident file from the gateway"

 

$FWDIR/log/forensics folder is empty, on the vs, and vs0, nothing on the log server either. 

Is there a timelimit for how long these files are accessible, and can this then be adjusted? Or is this a bug?

The vsx cluster is running R80.30.

0 Kudos
7 Replies
Timothy_Hall
Legend Legend
Legend
‎2020-03-30 06:27 AM

Try bringing up the log entries and associated captures using the old SmartView Tracker (CPlgv.exe).  Does that work?  This will help determine if it is some kind of SmartEvent problem.  Also try bringing up the capture via the SmartView web interface at https://(IP OF SMS)/smartview

If none of these alternative options work, something is broken with the transfer of IPS packet captures, which should be transferred automatically between the VS gateway and the Log Server/SMS when they are taken.

 

Attend my online "Be your Own TAC: Part Deux" CheckMates event
March 27th with sessions for both the EMEA and Americas time zones
0 Kudos
Kai_Magnussen
Participant
‎2020-03-30 06:59 AM
In response to Timothy_Hall

 

hi,

 

Thanks for the response. Tried accessing both alternatives, but no option to download, as the packet capture is not a proper link, just text.

So this further strengthens the theory that is a bug, so i have opened a case with TAC.

 

 

0 Kudos
Timothy_Hall
Legend Legend
Legend
‎2020-03-30 07:13 AM
In response to Kai_Magnussen

OK, please post and let us know what you find out with TAC.

Attend my online "Be your Own TAC: Part Deux" CheckMates event
March 27th with sessions for both the EMEA and Americas time zones
0 Kudos
J_Bendonis
Explorer
‎2020-07-07 10:37 AM
In response to Timothy_Hall

Im finding this too, did you get an answer from TAC? (if only to save me a phone call)

0 Kudos
Crawford_Comapn
Explorer
‎2020-09-23 11:05 PM
In response to Kai_Magnussen

Hi Kai_Magnussen,

Were you able to get an update from TAC on this.

0 Kudos
ladeko
Participant
Participant
‎2020-09-07 06:55 AM

We are also having the same problem. Did you find any solution/cause

0 Kudos
Jan_Kleinhans
Advisor
‎2020-09-24 07:29 AM
In response to ladeko

Hello,

you have to open a case . There is a hotfix for this issue available.

We are experiencing this issue sind R80.20 and always had to request a hotfix. But in our case the files are generated but cannot be opened because the file name is 0.0.0.0_filename.

 

Best regards,

Jan

0 Kudos

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

View All ≫
Upcoming Events

    Sort by:
    CheckMates Events
    li.common.scroll-to.top