Hi, Sir, I just wanted to say that your reply was truly awesome. I'm saving it in case we every experience the problem that the original poster describes.
Good Work! Kim -----Original Message----- From: Mailing list for discussion of Firewall-1 [mailto:[email protected]] On Behalf Of Gustavo Rocha de Andrade Sent: Wednesday, September 29, 2010 12:53 PM To: [email protected] Subject: [FW-1] RES: [FW-1] Utmedge connected to R70 SPLAT logging problem Hi, I think the procedures below should assistance you. Problem At times the management station can stop receiving logs from the firewalls. As a result, the the firewall, or firewalls, will begin to log locally, when it can not communicate with the Management station, this can consuming hard drive space at a rate dependent on the amount of logging taking place. Below are some very practical troubleshooting procedures that have proven very effective in resolving a wide variety of logging issues. 1) Management Server is both a Management station and a Enforcement Point Ensure that the management station was not installed as a combination of both a firewall/management station. This incorrect installation will block logs being sent to the management station. Run the following command: cpprod_util FwIsFireWallModule The output will be 1 or 0. If it is 1, then you have inadvertently installed the management station as a firewall. The next step is to unload the policy from the Management Station: fw unloadlocal After which, you will run the following command to ensure the Management Station is just that and not a firewall: cpprod_util FwSetFireWallModule 0 Finally, reboot the management station 2) Reinstall the Database The Management station and its database maybe out of sync, Try to install the database on the Management station, Go to Policy > Install Database > and select the Management station object and then push the policy to the firewalls, 3) Management Station is not Listening for Logs On the Management station issue the command netstat -na and ensure that it is listening on port 257, which is the logging port for Check Point. Issuing netstat -na from the management station should show something similar to the example below: TCP 10.1.1.13:257 10.1.1.2:2085 ESTABLISHED TCP 10.1.1.13:257 10.1.1.3:1133 ESTABLISHED Here, we see that the management station, 10.1.1.13, is listening for logs from both firewalls, 10.1.1.2 and 10.1.1.3, respectively Also, issuing netstat -na on the firewall should show the following: tcp 0 0 10.1.1.2.2085 10.1.1.13.257 ESTABLISHED Please note: The above examples depict two firewalls where logging has been established. Upon initiation the management station and firewalls should be in a LISTENING state. 4) Checking Network Connectivity Can you ping the management station from the firewall? If this fails, and your rules allow for this, then it is most likely a routing issue. You can either have an explicit rule for ICMP between the management and firewalls or you can perform the following: Policy > Global Properties > Firewall 1 > Accept ICMP requests Here, ensure the option is checked and set it before last. Can you ping the firewall from the management station (rules must allow for this, see above). If this fails, and your rules allow for this, then it is most likely a routing issue. 5) Pushing Policy Can you push policy from the management station or fetch policy from the module? If you cannot push or fetch policy then check the SIC status between the Management station and the enforcement module. You might have to re-establish it. Commands for fetching the policy from the management station: fw fetch hostname_of_MS or fw fetch IP_Addr_of_MS 6) Check the Log Server Settings Within the Smart Center server check the log settings on the firewall object and make sure the log server is set to the management station or the log server you are using. How to check this: FireWall Object > Logging > Logs and Masters > Log Servers 7) Check that logs are being sent Check to see if the fw.log file is growing on the module. It should be if the logs are not going to the management station. On the firewall enforcement point: cd $FWDIR/log ls -la or issue the following command netstat -an | grep 257 The above command will show that the connection is established but the destination is the localhost of the firewall and not the management station and or log server ip. 8 ) Verify the %FWDIR/conf/masters file Check the masters file. The hostname or IP address of the management station/log server should be listed in there. It should be look like this: nokia[admin]# cat $FWDIR/conf/masters [Policy] hostname_of_FW [Log] hostname_of_FW [Alert] hostname_of_FW If the IP or name, within the masters file, does not correspond to the name or IP of the management station or log server you must correct this via the VI utility within IPSO. Please refer to Resolution 14403: A reference guide for the VI editor on how to use VI. 9) Use tcpdump to verify the network connection Run a tcpdump on the firewall listening for port 257 on the interface facing the management station. This will confirm whether the firewall is attempting to send logs to the management station. tcpdump -i eth-facing-MS port 257 You should see log traffic leaving the firewall and heading to the IP address of the management station/log server. Note: For further explanation of tcpdump please refer to Resolution 330: How do I use tcpdump? 10) Try a log switch Perform a log switch on the management station and reboot the management station. If the log switch does not work, move all contents of the log directory (do not move the directory) to a temp folder outside of the log directory. After reboot see if logs start again 11) Remove potentially corrupted files Delete all the $FWDIR/log files and $FWDIR/state directory files on the firewall. You can perform this by accessing the above directories and issuing the following command rm *.*. After which you will have to reboot the firewall. Once you have deleted the files within the directory please reboot the firewall (Delete only the files and not the directory). ________________________________________ De: Mailing list for discussion of Firewall-1 [[email protected]] em Nome de a bv [[email protected]] Enviado: quarta-feira, 29 de setembro de 2010 13:46 Para: [email protected] Assunto: Re: [FW-1] Utmedge connected to R70 SPLAT logging problem Hi , thanks for the advice but i have to do the fix by myself, i cant hire someone for this. Let me explain the situation more simple. I have an R70 SPLAT box and and utm-1edge box (7.5.5 firmware). I want to connect and manage the edge from R70. But the edge is not sending logs to the R70, i cant see them on smartviewtracker. My edge logs seem to be lost. thats the problem. Regards 2010/9/29, Hugo van der Kooij <[email protected]>: > On Wed, 29 Sep 2010 16:57:55 +0300, a bv <[email protected]> wrote: >> Which parts of my mail came non-understandable to you? Then let me >> explain again. > > Well just about everything? And on a mailinglist like this if it is hard > to read I loose all interrest I simply can''t be bothered to invest my own > time into translation issues. > > As no one else answered the question as well my advice remains to actually > pay for someone to make this work. If there is a business need then there > is a valid reason to hire someone to do the job. > > Hugo. > > -- > [email protected] http://hugo.vanderkooij.org/ > PGP/GPG? Use: http://hugo.vanderkooij.org/0x58F19981.asc > > Scanned by Check Point Total Security Gateway. > > ================================================= > To set vacation, Out-Of-Office, or away messages, > send an email to [email protected] > in the BODY of the email add: > set fw-1-mailinglist nomail > ================================================= > To unsubscribe from this mailing list, > please see the instructions at > http://www.checkpoint.com/services/mailing.html > ================================================= > If you have any questions on how to change your > subscription options, email > [email protected] > ================================================= > Scanned by Check Point Total Security Gateway. ================================================= To set vacation, Out-Of-Office, or away messages, send an email to [email protected] in the BODY of the email add: set fw-1-mailinglist nomail ================================================= To unsubscribe from this mailing list, please see the instructions at http://www.checkpoint.com/services/mailing.html ================================================= If you have any questions on how to change your subscription options, email [email protected] ================================================= Scanned by Check Point Total Security Gateway. Scanned by Check Point Total Security Gateway. ================================================= To set vacation, Out-Of-Office, or away messages, send an email to [email protected] in the BODY of the email add: set fw-1-mailinglist nomail ================================================= To unsubscribe from this mailing list, please see the instructions at http://www.checkpoint.com/services/mailing.html ================================================= If you have any questions on how to change your subscription options, email [email protected] ================================================= Scanned by Check Point Total Security Gateway. Scanned by Check Point Total Security Gateway. ================================================= To set vacation, Out-Of-Office, or away messages, send an email to [email protected] in the BODY of the email add: set fw-1-mailinglist nomail ================================================= To unsubscribe from this mailing list, please see the instructions at http://www.checkpoint.com/services/mailing.html ================================================= If you have any questions on how to change your subscription options, email [email protected] ================================================= Scanned by Check Point Total Security Gateway.
