This website uses Cookies. Click Accept to agree to our website's cookie use as described in our Privacy Policy. Click Preferences to customize your cookie settings.
Accept
Reject
Preferences
ABOUT CHECKMATES CYBER SECURITY COMMUNITY & FAQ
Create a Post
Help
cancel
Turn on suggestions
Showing results for 
Search instead for 
Did you mean: 

Are you a member of CheckMates?

×
Sign in with your Check Point UserCenter/PartnerMap account to access more great content and get a chance to win some Apple AirPods! If you don't have an account, create one now for free!
Ryan_Ryan
Advisor
‎2020-12-15 08:31 PM

Check which gateways are logging

Hi,

 

I have noticed some of my gateways don't appear to be logging traffic, This am am certain was working for all gateways previously. We have 45 gateway son the management server so I would ideally like a command I can run on the log sever to see which are established so I can work through backwards.

 

we have 24 cloudguard gateways in hypervisor mode and it seems to be some of them that aren't working, So I cannot easily tell which ones aren't not logging, but I just know when I should be seeing traffic and I am not. The log server has plenty of disk space.

 

thanks

0 Kudos
6 Replies
PhoneBoy
Admin
Admin
‎2020-12-15 08:48 PM

netstat -an should show active TCP connections with gateways that are logging.

0 Kudos
Ryan_Ryan
Advisor
‎2020-12-15 08:54 PM
In response to PhoneBoy

I did some further testing and found a specific gateway that is not logging, I have an snmp alarm on that device:  A "chkpntTrapOverallLSConnState" event has occurred, from CheckpointFirewall device, Security Gateway is unable to report logs to any log server fwLocalLoggingDesc = Writing logs locally due to connectivity problems fwLocalLoggingStat = 2

 

I can ping the log server from this gateway, and the fw.log file is not increasing either, just did an install database on the all the management servers, and a cpstart on the gateway really weird. Ive run through sk40090 without any luck either. Looks like I have 3 gateways that all stopped logging at the exact same time. netstat -an doesn't show a connection to log server

0 Kudos
PhoneBoy
Admin
Admin
‎2020-12-15 11:04 PM

Don’t know that you need to delete logtrack but restarting fwd can’t hurt.
See: https://supportcenter.checkpoint.com/supportcenter/portal?eventSubmit_doGoviewsolutiondetails=&solut...

0 Kudos
Ryan_Ryan
Advisor
‎2020-12-16 07:27 PM
In response to PhoneBoy

Yes I think you are right, does restarting FWD have any service impact? 

 

I saw this in the logs which looks very similar to sk118936 

 

-[17 Dec 15:55:49] connect_to_local_server: connected to local server successfuly
-[17 Dec 15:55:49] ....<-- connect_to_local_server
-[17 Dec 15:55:49] ...<-- connect_to_server
-[17 Dec 15:55:49] create_default_log: connected to default log server
-[17 Dec 15:55:49] ...--> disconnect_from_server
-[17 Dec 15:55:49] disconnect_from_server: default still backups other servers, don't disconnect
-[17 Dec 15:55:49] ...<-- disconnect_from_server
-[17 Dec 15:55:49] create_default_log: disconnected from default log server
-[17 Dec 15:55:49] ..<-- create_default_log
-[17 Dec 15:55:49] .<-- logbuf_write
-[17 Dec 15:55:49] .--> log_has_connected_server
-[17 Dec 15:55:49] .<-- log_has_connected_server
-[17 Dec 15:55:49] log_add_e__logclient: writes logs to local disk because overflow
-[17 Dec 15:55:49] log_add_e__logclient: 192.168.10.10 - no log is sent now
-[17 Dec 15:55:49] log_add_e__logclient: waiting for connecting callback (log_connected) to be read
-[17 Dec 15:55:49] log_add_e__logclient: Write locally ! log record number = 5342
-[17 Dec 15:55:49] .--> log_local_write
-[17 Dec 15:55:49] .<-- log_local_write
-[17 Dec 15:55:49] <-- log_add_e__logclient

0 Kudos
PhoneBoy
Admin
Admin
‎2020-12-16 08:11 PM
In response to Ryan_Ryan

I don’t believe so but the sk suggests doing during a maintenance window. 

0 Kudos
Ryan_Ryan
Advisor
‎2020-12-17 06:35 PM

found another solution, removing the log server from the gateway, push policy and add it back has got he log connection back up and working now.

0 Kudos

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

View All ≫
Upcoming Events

    Sort by:
    CheckMates Events
    Top