Checkpoint Gateways are not sending the logs to Checkpoint management server
Checkpoint Gateways are not sending the logs to Checkpoint management server
We are using the following steps for troubleshooting -
-->> SmartConsole, go to 'Policy
' menu - click on 'Install Database...
' - select the Security Management Server and Log Servers - click 'OK
'.
\
-->> Ensure that you have not run out of disk space on the Security Management Server / Log Servers
Run df -kh
command - check the "Use%
"
-->> Make sure that Security Gateway configured to send logs to Security Management Server / Log Server, if its not configure, use below steps
SmartConsole, open the Security Gateway object - check each setting in the "Logs
" section.
If any change was made, install policy
-->> Make sure that Security Management Server able to communicate over SIC with Security Gateway, use below command to verify the SIC connectivity.
In SmartConsole, open the Security Gateway object - on 'General Properties
' pane, in "Secure Internal Communication
" section - click on "Test SIC Status.
Also make sure that Security Gateway able to communicate (other than SIC) with the Security Management Server.
-->> Please Make sure that Security Management Server listening on TCP port 257
Use below command to verifty it.
On Gaia / SecurePlatform / Linux / IPSO OS:
# netstat -anp | grep ":257"
log_policy.C
on the Management server $FWDIR/conf/log_policy.C
Example -
# tcpdump -n -i INTERFACE_NAME host IP_ADDRESS_of_GW and tcp port 257
Note -
When NAT is configured on the Security Management object, make sure to check the 'Apply for Security Gateway Control Connections' checkbox
-->> Also verify active firewall log file fw.log
growing on the Security Gateway
# watch -d -n 3 "ls -l $FWDIR/log/fw.log"
If the active firewall log file is growing, then the Security Gateway is logging locally instead of forwarding the logs to the Security Management Server, this means may be Routing issue or connectivity issue.
-->> Active firewall log file fw.log
might be corrupted on the Security Gateway
-->> Create a temporary folder anywhere outside $FWDIR/log/
-->>
Stop all Check Point services with cpstop (This will stop traffic also)
-->>
Move all fw.log*
files from the $FWDIR/log/
folder to a new temporary folder (Do not move log file)
-->> Start all Check Point services with cpstart
-->>
Check if $FWDIR/log/fw.log
(on Windows OS: %FWDIR%\log\fw.log
) file was created and if it is growing
-->>> Debug FWD on the Gateway
# fw debug fwd on TDERROR_ALL_FWLOG_DISPATCH=5
# fw debug fwd off TDERROR_ALL_FWLOG_DISPATCH=0
If still issue not resovle raise TAC case for further troubleshooting.
No comments