Also i get this from netstat -na tcp 0 0 0.0.0.0:257 0.0.0.0:* LISTEN
But tcpdump -i eth1 port 257 didnt bring any packet (eth1 has the IP of the hostname of the firewall) many thanks 2010/9/29, a bv <[email protected]>: > Hi, thanks > > I have run the cpprod_util FwIsFireWallModule command and i got 1 . It > says on the procedure > > " If it is 1, then you have inadvertently installed the management > station as a firewall. The next step is to unload the policy from the > Management Station:" what does it mean? I have installed the R70 on a > single open server. > > Many thanks > > > 2010/9/29, Gustavo Rocha de Andrade <[email protected]>: >> Hi, >> >> I think the procedures below should assistance you. >> >> >> Problem >> >> At times the management station can stop receiving logs from the >> firewalls. >> As a result, the the firewall, or firewalls, will begin to log locally, >> when >> it can not communicate with the Management station, this can consuming >> hard >> drive space at a rate dependent on the amount of logging taking place. >> Below >> are some very practical troubleshooting procedures that have proven very >> effective in resolving a wide variety of logging issues. >> >> 1) Management Server is both a Management station and a Enforcement Point >> Ensure that the management station was not installed as a combination of >> both a firewall/management station. This incorrect installation will >> block >> logs being sent to the management station. >> >> >> Run the following command: >> >> >> cpprod_util FwIsFireWallModule >> >> >> The output will be 1 or 0. >> If it is 1, then you have inadvertently installed the management station >> as >> a firewall. The next step is to unload the policy from the Management >> Station: >> >> >> fw unloadlocal >> >> >> After which, you will run the following command to ensure the Management >> Station is just that and not a firewall: >> >> >> cpprod_util FwSetFireWallModule 0 >> >> >> Finally, reboot the management station >> >> 2) Reinstall the Database >> The Management station and its database maybe out of sync, >> Try to install the database on the Management station, >> Go to Policy > Install Database > and select the Management station >> object >> and then push the policy to the firewalls, >> >> 3) Management Station is not Listening for Logs >> On the Management station issue the command netstat -na and ensure that >> it >> is listening on port 257, which is the logging port for Check Point. >> Issuing >> netstat -na from the management station should show something similar to >> the >> example below: >> >> TCP 10.1.1.13:257 10.1.1.2:2085 ESTABLISHED >> TCP 10.1.1.13:257 10.1.1.3:1133 ESTABLISHED >> >> >> Here, we see that the management station, 10.1.1.13, is listening for >> logs >> from both firewalls, 10.1.1.2 and 10.1.1.3, respectively >> >> Also, issuing netstat -na on the firewall should show the following: >> >> >> tcp 0 0 10.1.1.2.2085 10.1.1.13.257 ESTABLISHED >> >> >> Please note: The above examples depict two firewalls where logging has >> been >> established. Upon initiation the management station and firewalls should >> be >> in a LISTENING state. >> >> 4) Checking Network Connectivity >> Can you ping the management station from the firewall? If this fails, and >> your rules allow for this, then it is most likely a routing issue. You >> can >> either have an explicit rule for ICMP between the management and >> firewalls >> or you can perform the following: >> >> >> Policy > Global Properties > Firewall 1 > Accept ICMP requests >> Here, ensure the option is checked and set it before last. >> >> >> Can you ping the firewall from the management station (rules must allow >> for >> this, see above). If this fails, and your rules allow for this, then it >> is >> most likely a routing issue. >> >> 5) Pushing Policy >> Can you push policy from the management station or fetch policy from the >> module? If you cannot push or fetch policy then check the SIC status >> between >> the Management station and the enforcement module. You might have to >> re-establish it. Commands for fetching the policy from the management >> station: >> >> >> fw fetch hostname_of_MS >> or >> fw fetch IP_Addr_of_MS >> >> >> 6) Check the Log Server Settings >> Within the Smart Center server check the log settings on the firewall >> object >> and make sure the log server is set to the management station or the log >> server you are using. How to check this: >> >> >> FireWall Object > Logging > Logs and Masters > Log Servers >> >> >> 7) Check that logs are being sent >> Check to see if the fw.log file is growing on the module. It should be >> if >> the logs are not going to the management station. >> >> On the firewall enforcement point: >> >> cd $FWDIR/log >> ls -la >> >> or issue the following command >> >> netstat -an | grep 257 >> >> >> The above command will show that the connection is established but the >> destination is the localhost of the firewall and not the management >> station >> and or log server ip. >> >> 8 ) Verify the %FWDIR/conf/masters file >> Check the masters file. The hostname or IP address of the management >> station/log server should be listed in there. It should be look like >> this: >> >> >> nokia[admin]# cat $FWDIR/conf/masters >> [Policy] >> hostname_of_FW >> [Log] >> hostname_of_FW >> [Alert] >> hostname_of_FW >> >> >> If the IP or name, within the masters file, does not correspond to the >> name >> or IP of the management station or log server you must correct this via >> the >> VI utility within IPSO. Please refer to Resolution 14403: A reference >> guide >> for the VI editor on how to use VI. >> >> 9) Use tcpdump to verify the network connection >> Run a tcpdump on the firewall listening for port 257 on the interface >> facing >> the management station. This will confirm whether the firewall is >> attempting >> to send logs to the management station. >> >> >> tcpdump -i eth-facing-MS port 257 >> >> >> You should see log traffic leaving the firewall and heading to the IP >> address of the management station/log server. >> >> Note: For further explanation of tcpdump please refer to Resolution 330: >> How >> do I use tcpdump? >> >> 10) Try a log switch >> Perform a log switch on the management station and reboot the management >> station. If the log switch does not work, move all contents of the log >> directory (do not move the directory) to a temp folder outside of the log >> directory. After reboot see if logs start again >> >> 11) Remove potentially corrupted files >> Delete all the $FWDIR/log files and $FWDIR/state directory files on the >> firewall. You can perform this by accessing the above directories and >> issuing the following command rm *.*. After which you will have to reboot >> the firewall. Once you have deleted the files within the directory please >> reboot the firewall (Delete only the files and not the directory). >> >> >> >> ________________________________________ >> De: Mailing list for discussion of Firewall-1 >> [[email protected]] em Nome de a bv >> [[email protected]] >> Enviado: quarta-feira, 29 de setembro de 2010 13:46 >> Para: [email protected] >> Assunto: Re: [FW-1] Utmedge connected to R70 SPLAT logging problem >> >> Hi , >> thanks for the advice but i have to do the fix by myself, i cant hire >> someone for this. Let me explain the situation more simple. >> >> I have an R70 SPLAT box and and utm-1edge box (7.5.5 firmware). I >> want to connect and manage the edge from R70. But the edge is not >> sending logs to the R70, i cant see them on smartviewtracker. My edge >> logs seem to be lost. thats the problem. >> Regards >> >> 2010/9/29, Hugo van der Kooij <[email protected]>: >>> On Wed, 29 Sep 2010 16:57:55 +0300, a bv <[email protected]> wrote: >>>> Which parts of my mail came non-understandable to you? Then let me >>>> explain again. >>> >>> Well just about everything? And on a mailinglist like this if it is hard >>> to read I loose all interrest I simply can''t be bothered to invest my >>> own >>> time into translation issues. >>> >>> As no one else answered the question as well my advice remains to >>> actually >>> pay for someone to make this work. If there is a business need then >>> there >>> is a valid reason to hire someone to do the job. >>> >>> Hugo. >>> >>> -- >>> [email protected] http://hugo.vanderkooij.org/ >>> PGP/GPG? Use: http://hugo.vanderkooij.org/0x58F19981.asc >>> >>> Scanned by Check Point Total Security Gateway. >>> >>> ================================================= >>> To set vacation, Out-Of-Office, or away messages, >>> send an email to [email protected] >>> in the BODY of the email add: >>> set fw-1-mailinglist nomail >>> ================================================= >>> To unsubscribe from this mailing list, >>> please see the instructions at >>> http://www.checkpoint.com/services/mailing.html >>> ================================================= >>> If you have any questions on how to change your >>> subscription options, email >>> [email protected] >>> ================================================= >>> >> >> Scanned by Check Point Total Security Gateway. >> >> ================================================= >> To set vacation, Out-Of-Office, or away messages, >> send an email to [email protected] >> in the BODY of the email add: >> set fw-1-mailinglist nomail >> ================================================= >> To unsubscribe from this mailing list, >> please see the instructions at >> http://www.checkpoint.com/services/mailing.html >> ================================================= >> If you have any questions on how to change your >> subscription options, email >> [email protected] >> ================================================= >> >> Scanned by Check Point Total Security Gateway. >> Scanned by Check Point Total Security Gateway. >> >> ================================================= >> To set vacation, Out-Of-Office, or away messages, >> send an email to [email protected] >> in the BODY of the email add: >> set fw-1-mailinglist nomail >> ================================================= >> To unsubscribe from this mailing list, >> please see the instructions at >> http://www.checkpoint.com/services/mailing.html >> ================================================= >> If you have any questions on how to change your >> subscription options, email >> [email protected] >> ================================================= >> >> Scanned by Check Point Total Security Gateway. >> > Scanned by Check Point Total Security Gateway. ================================================= To set vacation, Out-Of-Office, or away messages, send an email to [email protected] in the BODY of the email add: set fw-1-mailinglist nomail ================================================= To unsubscribe from this mailing list, please see the instructions at http://www.checkpoint.com/services/mailing.html ================================================= If you have any questions on how to change your subscription options, email [email protected] ================================================= Scanned by Check Point Total Security Gateway.
