Checkpoint Gateways are not sending the logs to Checkpoint management server

Checkpoint Gateways are not sending the logs to Checkpoint management server

We are using the following steps for troubleshooting -

-->>  SmartConsole, go to 'Policy' menu - click on 'Install Database...' - select the Security Management Server and Log Servers - click 'OK'.

\

-->> Ensure that you have not run out of disk space on the Security Management Server / Log Servers

Run df -kh command - check the "Use%"

-->> Make sure that Security Gateway configured to send logs to Security Management Server / Log Server, if its not configure, use below steps 

SmartConsole, open the Security Gateway object - check each setting in the "Logs" section.
If any change was made, install policy

-->>  Make sure that Security Management Server able to communicate over SIC with Security Gateway, use below command to verify the SIC connectivity.

In SmartConsole, open the Security Gateway object - on 'General Properties' pane, in "Secure Internal Communication" section - click on "Test SIC Status.

Also make sure that Security Gateway able to communicate (other than SIC) with the Security Management Server.

-->> Please make sure that   Security policy must allow ICMP between the Security Gateway and the Security Management Server.

-->> Please Make sure that Security Management Server listening on TCP port 257

Use below command to verifty it.

On Gaia / SecurePlatform / Linux / IPSO OS:

• # netstat -anp | grep ":257"

-->> check log policy setting in log_policy.C on the Management server 

#$FWDIR/conf/log_policy.C




Example -




-->> use tcpdump to understand if any logs getting from the gateway to Management server.

# tcpdump -n -i INTERFACE_NAME host IP_ADDRESS_of_GW and tcp port 257

Note - When NAT is configured on the Security Management object, make sure to check the 'Apply for Security Gateway Control Connections' checkbox

-->> Also verify active firewall log file fw.log growing on the Security Gateway

# watch -d -n 3 "ls -l $FWDIR/log/fw.log"




If the active firewall log file is growing, then the Security Gateway is logging locally instead of forwarding the logs to the Security Management Server, this means may be Routing issue or connectivity issue.

-->> Active firewall log file fw.log might be corrupted on the Security Gateway

-->> Create a temporary folder anywhere outside $FWDIR/log/

-->> Stop all Check Point services with cpstop (This will stop traffic also)

-->> Move all fw.log* files from the $FWDIR/log/ folder to a new temporary folder (Do not move log file)

-->> Start all Check Point services with cpstart

-->> Check if $FWDIR/log/fw.log (on Windows OS: %FWDIR%\log\fw.log) file was created and if it is growing

-->>> Debug FWD on the Gateway

# fw debug fwd on TDERROR_ALL_FWLOG_DISPATCH=5

# fw debug fwd off TDERROR_ALL_FWLOG_DISPATCH=0




If still issue not resovle raise TAC case for further troubleshooting.