Hi, thanks I have run the cpprod_util FwIsFireWallModule command and i got 1 . It says on the procedure
" If it is 1, then you have inadvertently installed the management station as a firewall. The next step is to unload the policy from the Management Station:" what does it mean? I have installed the R70 on a single open server. Many thanks 2010/9/29, Gustavo Rocha de Andrade <[email protected]>: > Hi, > > I think the procedures below should assistance you. > > > Problem > > At times the management station can stop receiving logs from the firewalls. > As a result, the the firewall, or firewalls, will begin to log locally, when > it can not communicate with the Management station, this can consuming hard > drive space at a rate dependent on the amount of logging taking place. Below > are some very practical troubleshooting procedures that have proven very > effective in resolving a wide variety of logging issues. > > 1) Management Server is both a Management station and a Enforcement Point > Ensure that the management station was not installed as a combination of > both a firewall/management station. This incorrect installation will block > logs being sent to the management station. > > > Run the following command: > > > cpprod_util FwIsFireWallModule > > > The output will be 1 or 0. > If it is 1, then you have inadvertently installed the management station as > a firewall. The next step is to unload the policy from the Management > Station: > > > fw unloadlocal > > > After which, you will run the following command to ensure the Management > Station is just that and not a firewall: > > > cpprod_util FwSetFireWallModule 0 > > > Finally, reboot the management station > > 2) Reinstall the Database > The Management station and its database maybe out of sync, > Try to install the database on the Management station, > Go to Policy > Install Database > and select the Management station object > and then push the policy to the firewalls, > > 3) Management Station is not Listening for Logs > On the Management station issue the command netstat -na and ensure that it > is listening on port 257, which is the logging port for Check Point. Issuing > netstat -na from the management station should show something similar to the > example below: > > TCP 10.1.1.13:257 10.1.1.2:2085 ESTABLISHED > TCP 10.1.1.13:257 10.1.1.3:1133 ESTABLISHED > > > Here, we see that the management station, 10.1.1.13, is listening for logs > from both firewalls, 10.1.1.2 and 10.1.1.3, respectively > > Also, issuing netstat -na on the firewall should show the following: > > > tcp 0 0 10.1.1.2.2085 10.1.1.13.257 ESTABLISHED > > > Please note: The above examples depict two firewalls where logging has been > established. Upon initiation the management station and firewalls should be > in a LISTENING state. > > 4) Checking Network Connectivity > Can you ping the management station from the firewall? If this fails, and > your rules allow for this, then it is most likely a routing issue. You can > either have an explicit rule for ICMP between the management and firewalls > or you can perform the following: > > > Policy > Global Properties > Firewall 1 > Accept ICMP requests > Here, ensure the option is checked and set it before last. > > > Can you ping the firewall from the management station (rules must allow for > this, see above). If this fails, and your rules allow for this, then it is > most likely a routing issue. > > 5) Pushing Policy > Can you push policy from the management station or fetch policy from the > module? If you cannot push or fetch policy then check the SIC status between > the Management station and the enforcement module. You might have to > re-establish it. Commands for fetching the policy from the management > station: > > > fw fetch hostname_of_MS > or > fw fetch IP_Addr_of_MS > > > 6) Check the Log Server Settings > Within the Smart Center server check the log settings on the firewall object > and make sure the log server is set to the management station or the log > server you are using. How to check this: > > > FireWall Object > Logging > Logs and Masters > Log Servers > > > 7) Check that logs are being sent > Check to see if the fw.log file is growing on the module. It should be if > the logs are not going to the management station. > > On the firewall enforcement point: > > cd $FWDIR/log > ls -la > > or issue the following command > > netstat -an | grep 257 > > > The above command will show that the connection is established but the > destination is the localhost of the firewall and not the management station > and or log server ip. > > 8 ) Verify the %FWDIR/conf/masters file > Check the masters file. The hostname or IP address of the management > station/log server should be listed in there. It should be look like this: > > > nokia[admin]# cat $FWDIR/conf/masters > [Policy] > hostname_of_FW > [Log] > hostname_of_FW > [Alert] > hostname_of_FW > > > If the IP or name, within the masters file, does not correspond to the name > or IP of the management station or log server you must correct this via the > VI utility within IPSO. Please refer to Resolution 14403: A reference guide > for the VI editor on how to use VI. > > 9) Use tcpdump to verify the network connection > Run a tcpdump on the firewall listening for port 257 on the interface facing > the management station. This will confirm whether the firewall is attempting > to send logs to the management station. > > > tcpdump -i eth-facing-MS port 257 > > > You should see log traffic leaving the firewall and heading to the IP > address of the management station/log server. > > Note: For further explanation of tcpdump please refer to Resolution 330: How > do I use tcpdump? > > 10) Try a log switch > Perform a log switch on the management station and reboot the management > station. If the log switch does not work, move all contents of the log > directory (do not move the directory) to a temp folder outside of the log > directory. After reboot see if logs start again > > 11) Remove potentially corrupted files > Delete all the $FWDIR/log files and $FWDIR/state directory files on the > firewall. You can perform this by accessing the above directories and > issuing the following command rm *.*. After which you will have to reboot > the firewall. Once you have deleted the files within the directory please > reboot the firewall (Delete only the files and not the directory). > > > > ________________________________________ > De: Mailing list for discussion of Firewall-1 > [[email protected]] em Nome de a bv > [[email protected]] > Enviado: quarta-feira, 29 de setembro de 2010 13:46 > Para: [email protected] > Assunto: Re: [FW-1] Utmedge connected to R70 SPLAT logging problem > > Hi , > thanks for the advice but i have to do the fix by myself, i cant hire > someone for this. Let me explain the situation more simple. > > I have an R70 SPLAT box and and utm-1edge box (7.5.5 firmware). I > want to connect and manage the edge from R70. But the edge is not > sending logs to the R70, i cant see them on smartviewtracker. My edge > logs seem to be lost. thats the problem. > Regards > > 2010/9/29, Hugo van der Kooij <[email protected]>: >> On Wed, 29 Sep 2010 16:57:55 +0300, a bv <[email protected]> wrote: >>> Which parts of my mail came non-understandable to you? Then let me >>> explain again. >> >> Well just about everything? And on a mailinglist like this if it is hard >> to read I loose all interrest I simply can''t be bothered to invest my own >> time into translation issues. >> >> As no one else answered the question as well my advice remains to actually >> pay for someone to make this work. If there is a business need then there >> is a valid reason to hire someone to do the job. >> >> Hugo. >> >> -- >> [email protected] http://hugo.vanderkooij.org/ >> PGP/GPG? Use: http://hugo.vanderkooij.org/0x58F19981.asc >> >> Scanned by Check Point Total Security Gateway. >> >> ================================================= >> To set vacation, Out-Of-Office, or away messages, >> send an email to [email protected] >> in the BODY of the email add: >> set fw-1-mailinglist nomail >> ================================================= >> To unsubscribe from this mailing list, >> please see the instructions at >> http://www.checkpoint.com/services/mailing.html >> ================================================= >> If you have any questions on how to change your >> subscription options, email >> [email protected] >> ================================================= >> > > Scanned by Check Point Total Security Gateway. > > ================================================= > To set vacation, Out-Of-Office, or away messages, > send an email to [email protected] > in the BODY of the email add: > set fw-1-mailinglist nomail > ================================================= > To unsubscribe from this mailing list, > please see the instructions at > http://www.checkpoint.com/services/mailing.html > ================================================= > If you have any questions on how to change your > subscription options, email > [email protected] > ================================================= > > Scanned by Check Point Total Security Gateway. > Scanned by Check Point Total Security Gateway. > > ================================================= > To set vacation, Out-Of-Office, or away messages, > send an email to [email protected] > in the BODY of the email add: > set fw-1-mailinglist nomail > ================================================= > To unsubscribe from this mailing list, > please see the instructions at > http://www.checkpoint.com/services/mailing.html > ================================================= > If you have any questions on how to change your > subscription options, email > [email protected] > ================================================= > > Scanned by Check Point Total Security Gateway. > Scanned by Check Point Total Security Gateway. ================================================= To set vacation, Out-Of-Office, or away messages, send an email to [email protected] in the BODY of the email add: set fw-1-mailinglist nomail ================================================= To unsubscribe from this mailing list, please see the instructions at http://www.checkpoint.com/services/mailing.html ================================================= If you have any questions on how to change your subscription options, email [email protected] ================================================= Scanned by Check Point Total Security Gateway.
