AnsweredAssumed Answered

Logs not arriving at Smart-manager from Secure Gateway

Question asked by johan95ee1c6b-18b6-43a6-b083-16898efd0436 on Sep 18, 2018
Latest reply on Sep 19, 2018 by Dameon Welch-Abernathy

Got one Checkpint gateway not sending logs to server/manager.

Gateway running R80.10.

 

Some checks from this list:

Troubleshooting Check Point logging issues when Security Management Server / Log Server is not receiving logs from Secur… 

 

results:

 

2. not running out of disk psace, other gateways successfully send logs

 

3. Log setting correct, same as for gateways that do send logs

 

4. SIC working

 

6. 

-sh-3.1# netstat -anp | grep ":257"
tcp 0 0 0.0.0.0:257 0.0.0.0:* LISTEN 9971/fwd

 

8. No logs coming from particular gw to server/manager while checking with tcpdump on port 257

 

Checking on gateway with tcpdump , tcp port 257 is used, looking like this:

22:55:20.502921 IP 212.123.209.155.64684 > 10.44.5.250.set: S 2036222826:2036222826(0) win 5840 <mss 1460,sackOK,timestamp 39556535 0,nop,wscale 10>
22:55:35.505245 IP GatewayA.45059 > manager/server.set: S 671424545:671424545(0) win 5840 <mss 1460,sackOK,timestamp 39571537 0,nop,wscale 10>
22:55:50.508439 IP GatewayA.46031 > manager/server.set: S 2285159981:2285159981(0) win 5840 <mss 1460,sackOK,timestamp 39586541 0,nop,wscale 10>
22:56:05.510607 IP GatewayA.52013 > manager/server.set: S 2007497722:2007497722(0) win 5840 <mss 1460,sackOK,timestamp 39601543 0,nop,wscale 10>
22:56:20.513890 IP GatewayA.65038 > manager/server.set: S 2658388405:2658388405(0) win 5840 <mss 1460,sackOK,timestamp 39616546 0,nop,wscale 10>
22:56:35.516815 IP GatewayA.39510 > manager/server.set: S 35097244:35097244(0) win 5840 <mss 1460,sackOK,timestamp 39631549 0,nop,wscale 10>
22:56:50.519180 IP GatewayA.55705 > manager/server.set: S 838505804:838505804(0) win 5840 <mss 1460,sackOK,timestamp 39646551 0,nop,wscale 10>
22:57:05.521406 IP GatewayA.41441 > manager/server.set: S 3340929611:3340929611(0) win 5840 <mss 1460,sackOK,timestamp 39661554 0,nop,wscale 10>

 

 

10. Firewall on gw is indeed growing locally

checked with 

# watch -d -n 2 "ls -l $FWDIR/log/fw.log"

 

11. 

# cat $FWDIR/conf/masters

showing name of manager/server

 

 

Outcomes