Hi,
I think the procedures below should assistance you.
Problem
At times the management station can stop receiving logs from the firewalls. As
a result, the the firewall, or firewalls, will begin to log locally, when it
can not communicate with the Management station, this can consuming hard drive
space at a rate dependent on the amount of logging taking place. Below are some
very practical troubleshooting procedures that have proven very effective in
resolving a wide variety of logging issues.
1) Management Server is both a Management station and a Enforcement Point
Ensure that the management station was not installed as a combination of both a
firewall/management station. This incorrect installation will block logs being
sent to the management station.
Run the following command:
cpprod_util FwIsFireWallModule
The output will be 1 or 0.
If it is 1, then you have inadvertently installed the management station as a
firewall. The next step is to unload the policy from the Management Station:
fw unloadlocal
After which, you will run the following command to ensure the Management
Station is just that and not a firewall:
cpprod_util FwSetFireWallModule 0
Finally, reboot the management station
2) Reinstall the Database
The Management station and its database maybe out of sync,
Try to install the database on the Management station,
Go to Policy > Install Database > and select the Management station object
and then push the policy to the firewalls,
3) Management Station is not Listening for Logs
On the Management station issue the command netstat -na and ensure that it is
listening on port 257, which is the logging port for Check Point. Issuing
netstat -na from the management station should show something similar to the
example below:
TCP 10.1.1.13:257 10.1.1.2:2085 ESTABLISHED
TCP 10.1.1.13:257 10.1.1.3:1133 ESTABLISHED
Here, we see that the management station, 10.1.1.13, is listening for logs
from both firewalls, 10.1.1.2 and 10.1.1.3, respectively
Also, issuing netstat -na on the firewall should show the following:
tcp 0 0 10.1.1.2.2085 10.1.1.13.257 ESTABLISHED
Please note: The above examples depict two firewalls where logging has been
established. Upon initiation the management station and firewalls should be in
a LISTENING state.
4) Checking Network Connectivity
Can you ping the management station from the firewall? If this fails, and your
rules allow for this, then it is most likely a routing issue. You can either
have an explicit rule for ICMP between the management and firewalls or you can
perform the following:
Policy > Global Properties > Firewall 1 > Accept ICMP requests
Here, ensure the option is checked and set it before last.
Can you ping the firewall from the management station (rules must allow for
this, see above). If this fails, and your rules allow for this, then it is most
likely a routing issue.
5) Pushing Policy
Can you push policy from the management station or fetch policy from the
module? If you cannot push or fetch policy then check the SIC status between
the Management station and the enforcement module. You might have to
re-establish it. Commands for fetching the policy from the management station:
fw fetch hostname_of_MS
or
fw fetch IP_Addr_of_MS
6) Check the Log Server Settings
Within the Smart Center server check the log settings on the firewall object
and make sure the log server is set to the management station or the log server
you are using. How to check this:
FireWall Object > Logging > Logs and Masters > Log Servers
7) Check that logs are being sent
Check to see if the fw.log file is growing on the module. It should be if the
logs are not going to the management station.
On the firewall enforcement point:
cd $FWDIR/log
ls -la
or issue the following command
netstat -an | grep 257
The above command will show that the connection is established but the
destination is the localhost of the firewall and not the management station and
or log server ip.
8 ) Verify the %FWDIR/conf/masters file
Check the masters file. The hostname or IP address of the management
station/log server should be listed in there. It should be look like this:
nokia[admin]# cat $FWDIR/conf/masters
[Policy]
hostname_of_FW
[Log]
hostname_of_FW
[Alert]
hostname_of_FW
If the IP or name, within the masters file, does not correspond to the name or
IP of the management station or log server you must correct this via the VI
utility within IPSO. Please refer to Resolution 14403: A reference guide for
the VI editor on how to use VI.
9) Use tcpdump to verify the network connection
Run a tcpdump on the firewall listening for port 257 on the interface facing
the management station. This will confirm whether the firewall is attempting to
send logs to the management station.
tcpdump -i eth-facing-MS port 257
You should see log traffic leaving the firewall and heading to the IP address
of the management station/log server.
Note: For further explanation of tcpdump please refer to Resolution 330: How do
I use tcpdump?
10) Try a log switch
Perform a log switch on the management station and reboot the management
station. If the log switch does not work, move all contents of the log
directory (do not move the directory) to a temp folder outside of the log
directory. After reboot see if logs start again
11) Remove potentially corrupted files
Delete all the $FWDIR/log files and $FWDIR/state directory files on the
firewall. You can perform this by accessing the above directories and issuing
the following command rm *.*. After which you will have to reboot the firewall.
Once you have deleted the files within the directory please reboot the firewall
(Delete only the files and not the directory).
________________________________________
De: Mailing list for discussion of Firewall-1
[[email protected]] em Nome de a bv
[[email protected]]
Enviado: quarta-feira, 29 de setembro de 2010 13:46
Para: [email protected]
Assunto: Re: [FW-1] Utmedge connected to R70 SPLAT logging problem
Hi ,
thanks for the advice but i have to do the fix by myself, i cant hire
someone for this. Let me explain the situation more simple.
I have an R70 SPLAT box and and utm-1edge box (7.5.5 firmware). I
want to connect and manage the edge from R70. But the edge is not
sending logs to the R70, i cant see them on smartviewtracker. My edge
logs seem to be lost. thats the problem.
Regards
2010/9/29, Hugo van der Kooij <[email protected]>:
> On Wed, 29 Sep 2010 16:57:55 +0300, a bv <[email protected]> wrote:
>> Which parts of my mail came non-understandable to you? Then let me
>> explain again.
>
> Well just about everything? And on a mailinglist like this if it is hard
> to read I loose all interrest I simply can''t be bothered to invest my own
> time into translation issues.
>
> As no one else answered the question as well my advice remains to actually
> pay for someone to make this work. If there is a business need then there
> is a valid reason to hire someone to do the job.
>
> Hugo.
>
> --
> [email protected] http://hugo.vanderkooij.org/
> PGP/GPG? Use: http://hugo.vanderkooij.org/0x58F19981.asc
>
> Scanned by Check Point Total Security Gateway.
>
> =================================================
> To set vacation, Out-Of-Office, or away messages,
> send an email to [email protected]
> in the BODY of the email add:
> set fw-1-mailinglist nomail
> =================================================
> To unsubscribe from this mailing list,
> please see the instructions at
> http://www.checkpoint.com/services/mailing.html
> =================================================
> If you have any questions on how to change your
> subscription options, email
> [email protected]
> =================================================
>
Scanned by Check Point Total Security Gateway.
=================================================
To set vacation, Out-Of-Office, or away messages,
send an email to [email protected]
in the BODY of the email add:
set fw-1-mailinglist nomail
=================================================
To unsubscribe from this mailing list,
please see the instructions at
http://www.checkpoint.com/services/mailing.html
=================================================
If you have any questions on how to change your
subscription options, email
[email protected]
=================================================
Scanned by Check Point Total Security Gateway.
Scanned by Check Point Total Security Gateway.
=================================================
To set vacation, Out-Of-Office, or away messages,
send an email to [email protected]
in the BODY of the email add:
set fw-1-mailinglist nomail
=================================================
To unsubscribe from this mailing list,
please see the instructions at
http://www.checkpoint.com/services/mailing.html
=================================================
If you have any questions on how to change your
subscription options, email
[email protected]
=================================================
