Hi , at the smartdashboard on the dedicated policy file i see meanfull rules and all set to log. So what can be the problem? On edges shell Updatenow command says success. Is the policy truely applied? If so why logs according to that rules doesnt appear ?
Regards 2010/10/1 Steve Baker <[email protected]>: > Are you actually logging allowed traffic? > > On Fri, Oct 1, 2010 at 2:27 PM, a bv <[email protected]> wrote: >> >> It may be foolish but after all i ran the smsstart command on R70 >> splat and started to see some logs at smartview tracker. But all the >> logs are dropped and broadcast traffic. ? >> >> >> >> >> 2010/10/1, Steve Baker <[email protected]>: >> > Is the Smartcenter server traffic being NATTed? Or behind a NAT? if so, >> > I >> > would look at SecureKnowledge as there are several articles that >> > describe >> > how to handle SmartCenter Management and Log traffic that is behind a >> > NAT. >> > >> > >> >> >> >> On Wed, Sep 29, 2010 at 6:13 PM, a bv <[email protected]> wrote: >> >> >> >>> I also connected to the edges shell by ssh and tried updatenow command >> >>> i looked at the logs >> >>> >> >>> form shell again and see below >> >>> >> >>> 15023 Warning: Connection to the Service Center has failed. >> >>> >> >>> also when i look at the webui of edge at the events i only see red >> >>> logs saying antispoofing >> >>> between lan IPs but when i look at the connections tab i see regular >> >>> http and dns connections >> >>> which this line is for. >> >>> >> >>> >> >>> 2010/9/30, a bv <[email protected]>: >> >>> > I also connected to the edges shell by ssh and tried updatenow >> >>> > command >> >>> > i looked at the logs >> >>> > >> >>> > form shell again and see below >> >>> > >> >>> > 15023 Warning: Connection to the Service Center has failed. >> >>> > >> >>> > also when i look at the webui of edge at the events i only see red >> >>> > logs saying antispoofing >> >>> > between lan IPs but when i look at the connections tab i see regular >> >>> > http and dns connections >> >>> > which this line is for. >> >>> > >> >>> > >> >>> > 2010/9/30, Warrington Bruce - bwarri <[email protected]>: >> >>> >> I don't believe this applies in his case. This is for normal >> >>> Checkpoint >> >>> >> firewalls, whereas Edge devices are re-branded Sofaware appliances >> >>> >> with >> >>> >> a Checkpoint logo. The ports used, the way policy is applied from >> >>> >> your >> >>> >> SmartCenter server, and other details differ with the Edge devices. >> >>> You >> >>> >> also don't have any of the directories and files listed below for >> >>> >> the >> >>> >> enforcement point when working on the Edge firmware. >> >>> >> >> >>> >> I only have R65 & 8.x Edge firmware running, and it's a totally >> >>> >> different model. Someone correct me if this now works completely >> >>> >> differently at R70 and the latest Edge firmware. >> >>> >> >> >>> >> >> >>> >> -----Original Message----- >> >>> >> From: Mailing list for discussion of Firewall-1 >> >>> >> [mailto:[email protected]] On Behalf Of >> >>> Gustavo >> >>> >> Rocha de Andrade >> >>> >> Sent: Wednesday, September 29, 2010 12:53 >> >>> >> To: [email protected] >> >>> >> Subject: [FW-1] RES: [FW-1] Utmedge connected to R70 SPLAT logging >> >>> >> problem >> >>> >> >> >>> >> Hi, >> >>> >> >> >>> >> I think the procedures below should assistance you. >> >>> >> >> >>> >> >> >>> >> Problem >> >>> >> >> >>> >> At times the management station can stop receiving logs from the >> >>> >> firewalls. As a result, the the firewall, or firewalls, will begin >> >>> >> to >> >>> >> log locally, when it can not communicate with the Management >> >>> >> station, >> >>> >> this can consuming hard drive space at a rate dependent on the >> >>> >> amount >> >>> of >> >>> >> logging taking place. Below are some very practical troubleshooting >> >>> >> procedures that have proven very effective in resolving a wide >> >>> >> variety >> >>> >> of logging issues. >> >>> >> >> >>> >> 1) Management Server is both a Management station and a Enforcement >> >>> >> Point >> >>> >> Ensure that the management station was not installed as a >> >>> >> combination >> >>> of >> >>> >> both a firewall/management station. This incorrect installation >> >>> >> will >> >>> >> block logs being sent to the management station. >> >>> >> >> >>> >> >> >>> >> Run the following command: >> >>> >> >> >>> >> >> >>> >> cpprod_util FwIsFireWallModule >> >>> >> >> >>> >> >> >>> >> The output will be 1 or 0. >> >>> >> If it is 1, then you have inadvertently installed the management >> >>> station >> >>> >> as a firewall. The next step is to unload the policy from the >> >>> Management >> >>> >> Station: >> >>> >> >> >>> >> >> >>> >> fw unloadlocal >> >>> >> >> >>> >> >> >>> >> After which, you will run the following command to ensure the >> >>> Management >> >>> >> Station is just that and not a firewall: >> >>> >> >> >>> >> >> >>> >> cpprod_util FwSetFireWallModule 0 >> >>> >> >> >>> >> >> >>> >> Finally, reboot the management station >> >>> >> >> >>> >> 2) Reinstall the Database >> >>> >> The Management station and its database maybe out of sync, >> >>> >> Try to install the database on the Management station, >> >>> >> Go to Policy > Install Database > and select the Management station >> >>> >> object >> >>> >> and then push the policy to the firewalls, >> >>> >> >> >>> >> 3) Management Station is not Listening for Logs >> >>> >> On the Management station issue the command netstat -na and ensure >> >>> >> that >> >>> >> it is listening on port 257, which is the logging port for Check >> >>> >> Point. >> >>> >> Issuing netstat -na from the management station should show >> >>> >> something >> >>> >> similar to the example below: >> >>> >> >> >>> >> TCP 10.1.1.13:257 10.1.1.2:2085 ESTABLISHED >> >>> >> TCP 10.1.1.13:257 10.1.1.3:1133 ESTABLISHED >> >>> >> >> >>> >> >> >>> >> Here, we see that the management station, 10.1.1.13, is listening >> >>> >> for >> >>> >> logs from both firewalls, 10.1.1.2 and 10.1.1.3, respectively >> >>> >> >> >>> >> Also, issuing netstat -na on the firewall should show the >> >>> >> following: >> >>> >> >> >>> >> >> >>> >> tcp 0 0 10.1.1.2.2085 10.1.1.13.257 ESTABLISHED >> >>> >> >> >>> >> >> >>> >> Please note: The above examples depict two firewalls where logging >> >>> >> has >> >>> >> been established. Upon initiation the management station and >> >>> >> firewalls >> >>> >> should be in a LISTENING state. >> >>> >> >> >>> >> 4) Checking Network Connectivity >> >>> >> Can you ping the management station from the firewall? If this >> >>> >> fails, >> >>> >> and your rules allow for this, then it is most likely a routing >> >>> >> issue. >> >>> >> You can either have an explicit rule for ICMP between the >> >>> >> management >> >>> and >> >>> >> firewalls or you can perform the following: >> >>> >> >> >>> >> >> >>> >> Policy > Global Properties > Firewall 1 > Accept ICMP requests >> >>> >> Here, ensure the option is checked and set it before last. >> >>> >> >> >>> >> >> >>> >> Can you ping the firewall from the management station (rules must >> >>> allow >> >>> >> for this, see above). If this fails, and your rules allow for this, >> >>> then >> >>> >> it is most likely a routing issue. >> >>> >> >> >>> >> 5) Pushing Policy >> >>> >> Can you push policy from the management station or fetch policy >> >>> >> from >> >>> the >> >>> >> module? If you cannot push or fetch policy then check the SIC >> >>> >> status >> >>> >> between the Management station and the enforcement module. You >> >>> >> might >> >>> >> have to re-establish it. Commands for fetching the policy from the >> >>> >> management station: >> >>> >> >> >>> >> >> >>> >> fw fetch hostname_of_MS >> >>> >> or >> >>> >> fw fetch IP_Addr_of_MS >> >>> >> >> >>> >> >> >>> >> 6) Check the Log Server Settings >> >>> >> Within the Smart Center server check the log settings on the >> >>> >> firewall >> >>> >> object and make sure the log server is set to the management >> >>> >> station >> >>> >> or >> >>> >> the log server you are using. How to check this: >> >>> >> >> >>> >> >> >>> >> FireWall Object > Logging > Logs and Masters > Log Servers >> >>> >> >> >>> >> >> >>> >> 7) Check that logs are being sent >> >>> >> Check to see if the fw.log file is growing on the module. It >> >>> >> should >> >>> >> be >> >>> >> if the logs are not going to the management station. >> >>> >> >> >>> >> On the firewall enforcement point: >> >>> >> >> >>> >> cd $FWDIR/log >> >>> >> ls -la >> >>> >> >> >>> >> or issue the following command >> >>> >> >> >>> >> netstat -an | grep 257 >> >>> >> >> >>> >> >> >>> >> The above command will show that the connection is established but >> >>> >> the >> >>> >> destination is the localhost of the firewall and not the management >> >>> >> station and or log server ip. >> >>> >> >> >>> >> 8 ) Verify the %FWDIR/conf/masters file >> >>> >> Check the masters file. The hostname or IP address of the >> >>> >> management >> >>> >> station/log server should be listed in there. It should be look >> >>> >> like >> >>> >> this: >> >>> >> >> >>> >> >> >>> >> nokia[admin]# cat $FWDIR/conf/masters >> >>> >> [Policy] >> >>> >> hostname_of_FW >> >>> >> [Log] >> >>> >> hostname_of_FW >> >>> >> [Alert] >> >>> >> hostname_of_FW >> >>> >> >> >>> >> >> >>> >> If the IP or name, within the masters file, does not correspond to >> >>> >> the >> >>> >> name or IP of the management station or log server you must correct >> >>> this >> >>> >> via the VI utility within IPSO. Please refer to Resolution 14403: A >> >>> >> reference guide for the VI editor on how to use VI. >> >>> >> >> >>> >> 9) Use tcpdump to verify the network connection >> >>> >> Run a tcpdump on the firewall listening for port 257 on the >> >>> >> interface >> >>> >> facing the management station. This will confirm whether the >> >>> >> firewall >> >>> is >> >>> >> attempting to send logs to the management station. >> >>> >> >> >>> >> >> >>> >> tcpdump -i eth-facing-MS port 257 >> >>> >> >> >>> >> >> >>> >> You should see log traffic leaving the firewall and heading to the >> >>> >> IP >> >>> >> address of the management station/log server. >> >>> >> >> >>> >> Note: For further explanation of tcpdump please refer to Resolution >> >>> 330: >> >>> >> How do I use tcpdump? >> >>> >> >> >>> >> 10) Try a log switch >> >>> >> Perform a log switch on the management station and reboot the >> >>> management >> >>> >> station. If the log switch does not work, move all contents of the >> >>> >> log >> >>> >> directory (do not move the directory) to a temp folder outside of >> >>> >> the >> >>> >> log directory. After reboot see if logs start again >> >>> >> >> >>> >> 11) Remove potentially corrupted files >> >>> >> Delete all the $FWDIR/log files and $FWDIR/state directory files on >> >>> >> the >> >>> >> firewall. You can perform this by accessing the above directories >> >>> >> and >> >>> >> issuing the following command rm *.*. After which you will have to >> >>> >> reboot the firewall. Once you have deleted the files within the >> >>> >> directory please reboot the firewall (Delete only the files and not >> >>> >> the >> >>> >> directory). >> >>> >> >> >>> >> >> >>> >> >> >>> >> ________________________________________ >> >>> >> De: Mailing list for discussion of Firewall-1 >> >>> >> [[email protected]] em Nome de a bv >> >>> >> [[email protected]] >> >>> >> Enviado: quarta-feira, 29 de setembro de 2010 13:46 >> >>> >> Para: [email protected] >> >>> >> Assunto: Re: [FW-1] Utmedge connected to R70 SPLAT logging problem >> >>> >> >> >>> >> Hi , >> >>> >> thanks for the advice but i have to do the fix by myself, i cant >> >>> >> hire >> >>> >> someone for this. Let me explain the situation more simple. >> >>> >> >> >>> >> I have an R70 SPLAT box and and utm-1edge box (7.5.5 firmware). I >> >>> >> want to connect and manage the edge from R70. But the edge is not >> >>> >> sending logs to the R70, i cant see them on smartviewtracker. My >> >>> >> edge >> >>> >> logs seem to be lost. thats the problem. >> >>> >> Regards >> >>> >> >> >>> >> 2010/9/29, Hugo van der Kooij <[email protected]>: >> >>> >>> On Wed, 29 Sep 2010 16:57:55 +0300, a bv <[email protected]> >> >>> wrote: >> >>> >>>> Which parts of my mail came non-understandable to you? Then let >> >>> >>>> me >> >>> >>>> explain again. >> >>> >>> >> >>> >>> Well just about everything? And on a mailinglist like this if it >> >>> >>> is >> >>> >> hard >> >>> >>> to read I loose all interrest I simply can''t be bothered to >> >>> >>> invest >> >>> >>> my >> >>> >> own >> >>> >>> time into translation issues. >> >>> >>> >> >>> >>> As no one else answered the question as well my advice remains to >> >>> >> actually >> >>> >>> pay for someone to make this work. If there is a business need >> >>> >>> then >> >>> >> there >> >>> >>> is a valid reason to hire someone to do the job. >> >>> >>> >> >>> >>> Hugo. >> >>> >>> >> >>> >>> -- >> >>> >>> [email protected] http://hugo.vanderkooij.org/ >> >>> >>> PGP/GPG? Use: http://hugo.vanderkooij.org/0x58F19981.asc >> >>> >>> >> >>> >>> Scanned by Check Point Total Security Gateway. >> >>> >>> >> >>> >>> ================================================= >> >>> >>> To set vacation, Out-Of-Office, or away messages, >> >>> >>> send an email to [email protected] >> >>> >>> in the BODY of the email add: >> >>> >>> set fw-1-mailinglist nomail >> >>> >>> ================================================= >> >>> >>> To unsubscribe from this mailing list, >> >>> >>> please see the instructions at >> >>> >>> http://www.checkpoint.com/services/mailing.html >> >>> >>> ================================================= >> >>> >>> If you have any questions on how to change your >> >>> >>> subscription options, email >> >>> >>> [email protected] >> >>> >>> ================================================= >> >>> >>> >> >>> >> >> >>> >> Scanned by Check Point Total Security Gateway. >> >>> >> >> >>> >> ================================================= >> >>> >> To set vacation, Out-Of-Office, or away messages, >> >>> >> send an email to [email protected] >> >>> >> in the BODY of the email add: >> >>> >> set fw-1-mailinglist nomail >> >>> >> ================================================= >> >>> >> To unsubscribe from this mailing list, >> >>> >> please see the instructions at >> >>> >> http://www.checkpoint.com/services/mailing.html >> >>> >> ================================================= >> >>> >> If you have any questions on how to change your >> >>> >> subscription options, email >> >>> >> [email protected] >> >>> >> ================================================= >> >>> >> >> >>> >> Scanned by Check Point Total Security Gateway. >> >>> >> Scanned by Check Point Total Security Gateway. >> >>> >> >> >>> >> ================================================= >> >>> >> To set vacation, Out-Of-Office, or away messages, >> >>> >> send an email to [email protected] >> >>> >> in the BODY of the email add: >> >>> >> set fw-1-mailinglist nomail >> >>> >> ================================================= >> >>> >> To unsubscribe from this mailing list, >> >>> >> please see the instructions at >> >>> >> http://www.checkpoint.com/services/mailing.html >> >>> >> ================================================= >> >>> >> If you have any questions on how to change your >> >>> >> subscription options, email >> >>> >> [email protected] >> >>> >> ================================================= >> >>> >> >> >>> >> >>> *************************************************************************** >> >>> >> The information contained in this communication is confidential, is >> >>> >> intended only for the use of the recipient named above, and may be >> >>> >> legally >> >>> >> privileged. >> >>> >> >> >>> >> If the reader of this message is not the intended recipient, you >> >>> >> are >> >>> >> hereby notified that any dissemination, distribution or copying of >> >>> >> this >> >>> >> communication is strictly prohibited. >> >>> >> >> >>> >> If you have received this communication in error, please resend >> >>> >> this >> >>> >> communication to the sender and delete the original message or any >> >>> >> copy >> >>> >> of it from your computer system. >> >>> >> >> >>> >> Thank You. >> >>> >> >> >>> >> >>> **************************************************************************** >> >>> >> >> >>> >> >> >>> >> Scanned by Check Point Total Security Gateway. >> >>> >> >> >>> >> ================================================= >> >>> >> To set vacation, Out-Of-Office, or away messages, >> >>> >> send an email to [email protected] >> >>> >> in the BODY of the email add: >> >>> >> set fw-1-mailinglist nomail >> >>> >> ================================================= >> >>> >> To unsubscribe from this mailing list, >> >>> >> please see the instructions at >> >>> >> http://www.checkpoint.com/services/mailing.html >> >>> >> ================================================= >> >>> >> If you have any questions on how to change your >> >>> >> subscription options, email >> >>> >> [email protected] >> >>> >> ================================================= >> >>> >> >> >>> > >> >>> >> >>> Scanned by Check Point Total Security Gateway. >> >>> >> >>> ================================================= >> >>> To set vacation, Out-Of-Office, or away messages, >> >>> send an email to [email protected] >> >>> in the BODY of the email add: >> >>> set fw-1-mailinglist nomail >> >>> ================================================= >> >>> To unsubscribe from this mailing list, >> >>> please see the instructions at >> >>> http://www.checkpoint.com/services/mailing.html >> >>> ================================================= >> >>> If you have any questions on how to change your >> >>> subscription options, email >> >>> [email protected] >> >>> ================================================= >> >>> >> >> >> >> >> > > > Scanned by Check Point Total Security Gateway. ================================================= To set vacation, Out-Of-Office, or away messages, send an email to [email protected] in the BODY of the email add: set fw-1-mailinglist nomail ================================================= To unsubscribe from this mailing list, please see the instructions at http://www.checkpoint.com/services/mailing.html ================================================= If you have any questions on how to change your subscription options, email [email protected] =================================================
