And still the situation keeps its urgency and being a problem regards 2010/10/11 a bv <[email protected]>: > Hi , > > at the smartdashboard on the dedicated policy file i see meanfull > rules and all set to log. So what can be the problem? On edges shell > Updatenow command says success. Is the policy truely applied? If so > why logs according to that rules doesnt appear ? > > Regards > 2010/10/1 Steve Baker <[email protected]>: >> Are you actually logging allowed traffic? >> >> On Fri, Oct 1, 2010 at 2:27 PM, a bv <[email protected]> wrote: >>> >>> It may be foolish but after all i ran the smsstart command on R70 >>> splat and started to see some logs at smartview tracker. But all the >>> logs are dropped and broadcast traffic. ? >>> >>> >>> >>> >>> 2010/10/1, Steve Baker <[email protected]>: >>> > Is the Smartcenter server traffic being NATTed? Or behind a NAT? if so, >>> > I >>> > would look at SecureKnowledge as there are several articles that >>> > describe >>> > how to handle SmartCenter Management and Log traffic that is behind a >>> > NAT. >>> > >>> > >>> >> >>> >> On Wed, Sep 29, 2010 at 6:13 PM, a bv <[email protected]> wrote: >>> >> >>> >>> I also connected to the edges shell by ssh and tried updatenow command >>> >>> i looked at the logs >>> >>> >>> >>> form shell again and see below >>> >>> >>> >>> 15023 Warning: Connection to the Service Center has failed. >>> >>> >>> >>> also when i look at the webui of edge at the events i only see red >>> >>> logs saying antispoofing >>> >>> between lan IPs but when i look at the connections tab i see regular >>> >>> http and dns connections >>> >>> which this line is for. >>> >>> >>> >>> >>> >>> 2010/9/30, a bv <[email protected]>: >>> >>> > I also connected to the edges shell by ssh and tried updatenow >>> >>> > command >>> >>> > i looked at the logs >>> >>> > >>> >>> > form shell again and see below >>> >>> > >>> >>> > 15023 Warning: Connection to the Service Center has failed. >>> >>> > >>> >>> > also when i look at the webui of edge at the events i only see red >>> >>> > logs saying antispoofing >>> >>> > between lan IPs but when i look at the connections tab i see regular >>> >>> > http and dns connections >>> >>> > which this line is for. >>> >>> > >>> >>> > >>> >>> > 2010/9/30, Warrington Bruce - bwarri <[email protected]>: >>> >>> >> I don't believe this applies in his case. This is for normal >>> >>> Checkpoint >>> >>> >> firewalls, whereas Edge devices are re-branded Sofaware appliances >>> >>> >> with >>> >>> >> a Checkpoint logo. The ports used, the way policy is applied from >>> >>> >> your >>> >>> >> SmartCenter server, and other details differ with the Edge devices. >>> >>> You >>> >>> >> also don't have any of the directories and files listed below for >>> >>> >> the >>> >>> >> enforcement point when working on the Edge firmware. >>> >>> >> >>> >>> >> I only have R65 & 8.x Edge firmware running, and it's a totally >>> >>> >> different model. Someone correct me if this now works completely >>> >>> >> differently at R70 and the latest Edge firmware. >>> >>> >> >>> >>> >> >>> >>> >> -----Original Message----- >>> >>> >> From: Mailing list for discussion of Firewall-1 >>> >>> >> [mailto:[email protected]] On Behalf Of >>> >>> Gustavo >>> >>> >> Rocha de Andrade >>> >>> >> Sent: Wednesday, September 29, 2010 12:53 >>> >>> >> To: [email protected] >>> >>> >> Subject: [FW-1] RES: [FW-1] Utmedge connected to R70 SPLAT logging >>> >>> >> problem >>> >>> >> >>> >>> >> Hi, >>> >>> >> >>> >>> >> I think the procedures below should assistance you. >>> >>> >> >>> >>> >> >>> >>> >> Problem >>> >>> >> >>> >>> >> At times the management station can stop receiving logs from the >>> >>> >> firewalls. As a result, the the firewall, or firewalls, will begin >>> >>> >> to >>> >>> >> log locally, when it can not communicate with the Management >>> >>> >> station, >>> >>> >> this can consuming hard drive space at a rate dependent on the >>> >>> >> amount >>> >>> of >>> >>> >> logging taking place. Below are some very practical troubleshooting >>> >>> >> procedures that have proven very effective in resolving a wide >>> >>> >> variety >>> >>> >> of logging issues. >>> >>> >> >>> >>> >> 1) Management Server is both a Management station and a Enforcement >>> >>> >> Point >>> >>> >> Ensure that the management station was not installed as a >>> >>> >> combination >>> >>> of >>> >>> >> both a firewall/management station. This incorrect installation >>> >>> >> will >>> >>> >> block logs being sent to the management station. >>> >>> >> >>> >>> >> >>> >>> >> Run the following command: >>> >>> >> >>> >>> >> >>> >>> >> cpprod_util FwIsFireWallModule >>> >>> >> >>> >>> >> >>> >>> >> The output will be 1 or 0. >>> >>> >> If it is 1, then you have inadvertently installed the management >>> >>> station >>> >>> >> as a firewall. The next step is to unload the policy from the >>> >>> Management >>> >>> >> Station: >>> >>> >> >>> >>> >> >>> >>> >> fw unloadlocal >>> >>> >> >>> >>> >> >>> >>> >> After which, you will run the following command to ensure the >>> >>> Management >>> >>> >> Station is just that and not a firewall: >>> >>> >> >>> >>> >> >>> >>> >> cpprod_util FwSetFireWallModule 0 >>> >>> >> >>> >>> >> >>> >>> >> Finally, reboot the management station >>> >>> >> >>> >>> >> 2) Reinstall the Database >>> >>> >> The Management station and its database maybe out of sync, >>> >>> >> Try to install the database on the Management station, >>> >>> >> Go to Policy > Install Database > and select the Management station >>> >>> >> object >>> >>> >> and then push the policy to the firewalls, >>> >>> >> >>> >>> >> 3) Management Station is not Listening for Logs >>> >>> >> On the Management station issue the command netstat -na and ensure >>> >>> >> that >>> >>> >> it is listening on port 257, which is the logging port for Check >>> >>> >> Point. >>> >>> >> Issuing netstat -na from the management station should show >>> >>> >> something >>> >>> >> similar to the example below: >>> >>> >> >>> >>> >> TCP 10.1.1.13:257 10.1.1.2:2085 ESTABLISHED >>> >>> >> TCP 10.1.1.13:257 10.1.1.3:1133 ESTABLISHED >>> >>> >> >>> >>> >> >>> >>> >> Here, we see that the management station, 10.1.1.13, is listening >>> >>> >> for >>> >>> >> logs from both firewalls, 10.1.1.2 and 10.1.1.3, respectively >>> >>> >> >>> >>> >> Also, issuing netstat -na on the firewall should show the >>> >>> >> following: >>> >>> >> >>> >>> >> >>> >>> >> tcp 0 0 10.1.1.2.2085 10.1.1.13.257 ESTABLISHED >>> >>> >> >>> >>> >> >>> >>> >> Please note: The above examples depict two firewalls where logging >>> >>> >> has >>> >>> >> been established. Upon initiation the management station and >>> >>> >> firewalls >>> >>> >> should be in a LISTENING state. >>> >>> >> >>> >>> >> 4) Checking Network Connectivity >>> >>> >> Can you ping the management station from the firewall? If this >>> >>> >> fails, >>> >>> >> and your rules allow for this, then it is most likely a routing >>> >>> >> issue. >>> >>> >> You can either have an explicit rule for ICMP between the >>> >>> >> management >>> >>> and >>> >>> >> firewalls or you can perform the following: >>> >>> >> >>> >>> >> >>> >>> >> Policy > Global Properties > Firewall 1 > Accept ICMP requests >>> >>> >> Here, ensure the option is checked and set it before last. >>> >>> >> >>> >>> >> >>> >>> >> Can you ping the firewall from the management station (rules must >>> >>> allow >>> >>> >> for this, see above). If this fails, and your rules allow for this, >>> >>> then >>> >>> >> it is most likely a routing issue. >>> >>> >> >>> >>> >> 5) Pushing Policy >>> >>> >> Can you push policy from the management station or fetch policy >>> >>> >> from >>> >>> the >>> >>> >> module? If you cannot push or fetch policy then check the SIC >>> >>> >> status >>> >>> >> between the Management station and the enforcement module. You >>> >>> >> might >>> >>> >> have to re-establish it. Commands for fetching the policy from the >>> >>> >> management station: >>> >>> >> >>> >>> >> >>> >>> >> fw fetch hostname_of_MS >>> >>> >> or >>> >>> >> fw fetch IP_Addr_of_MS >>> >>> >> >>> >>> >> >>> >>> >> 6) Check the Log Server Settings >>> >>> >> Within the Smart Center server check the log settings on the >>> >>> >> firewall >>> >>> >> object and make sure the log server is set to the management >>> >>> >> station >>> >>> >> or >>> >>> >> the log server you are using. How to check this: >>> >>> >> >>> >>> >> >>> >>> >> FireWall Object > Logging > Logs and Masters > Log Servers >>> >>> >> >>> >>> >> >>> >>> >> 7) Check that logs are being sent >>> >>> >> Check to see if the fw.log file is growing on the module. It >>> >>> >> should >>> >>> >> be >>> >>> >> if the logs are not going to the management station. >>> >>> >> >>> >>> >> On the firewall enforcement point: >>> >>> >> >>> >>> >> cd $FWDIR/log >>> >>> >> ls -la >>> >>> >> >>> >>> >> or issue the following command >>> >>> >> >>> >>> >> netstat -an | grep 257 >>> >>> >> >>> >>> >> >>> >>> >> The above command will show that the connection is established but >>> >>> >> the >>> >>> >> destination is the localhost of the firewall and not the management >>> >>> >> station and or log server ip. >>> >>> >> >>> >>> >> 8 ) Verify the %FWDIR/conf/masters file >>> >>> >> Check the masters file. The hostname or IP address of the >>> >>> >> management >>> >>> >> station/log server should be listed in there. It should be look >>> >>> >> like >>> >>> >> this: >>> >>> >> >>> >>> >> >>> >>> >> nokia[admin]# cat $FWDIR/conf/masters >>> >>> >> [Policy] >>> >>> >> hostname_of_FW >>> >>> >> [Log] >>> >>> >> hostname_of_FW >>> >>> >> [Alert] >>> >>> >> hostname_of_FW >>> >>> >> >>> >>> >> >>> >>> >> If the IP or name, within the masters file, does not correspond to >>> >>> >> the >>> >>> >> name or IP of the management station or log server you must correct >>> >>> this >>> >>> >> via the VI utility within IPSO. Please refer to Resolution 14403: A >>> >>> >> reference guide for the VI editor on how to use VI. >>> >>> >> >>> >>> >> 9) Use tcpdump to verify the network connection >>> >>> >> Run a tcpdump on the firewall listening for port 257 on the >>> >>> >> interface >>> >>> >> facing the management station. This will confirm whether the >>> >>> >> firewall >>> >>> is >>> >>> >> attempting to send logs to the management station. >>> >>> >> >>> >>> >> >>> >>> >> tcpdump -i eth-facing-MS port 257 >>> >>> >> >>> >>> >> >>> >>> >> You should see log traffic leaving the firewall and heading to the >>> >>> >> IP >>> >>> >> address of the management station/log server. >>> >>> >> >>> >>> >> Note: For further explanation of tcpdump please refer to Resolution >>> >>> 330: >>> >>> >> How do I use tcpdump? >>> >>> >> >>> >>> >> 10) Try a log switch >>> >>> >> Perform a log switch on the management station and reboot the >>> >>> management >>> >>> >> station. If the log switch does not work, move all contents of the >>> >>> >> log >>> >>> >> directory (do not move the directory) to a temp folder outside of >>> >>> >> the >>> >>> >> log directory. After reboot see if logs start again >>> >>> >> >>> >>> >> 11) Remove potentially corrupted files >>> >>> >> Delete all the $FWDIR/log files and $FWDIR/state directory files on >>> >>> >> the >>> >>> >> firewall. You can perform this by accessing the above directories >>> >>> >> and >>> >>> >> issuing the following command rm *.*. After which you will have to >>> >>> >> reboot the firewall. Once you have deleted the files within the >>> >>> >> directory please reboot the firewall (Delete only the files and not >>> >>> >> the >>> >>> >> directory). >>> >>> >> >>> >>> >> >>> >>> >> >>> >>> >> ________________________________________ >>> >>> >> De: Mailing list for discussion of Firewall-1 >>> >>> >> [[email protected]] em Nome de a bv >>> >>> >> [[email protected]] >>> >>> >> Enviado: quarta-feira, 29 de setembro de 2010 13:46 >>> >>> >> Para: [email protected] >>> >>> >> Assunto: Re: [FW-1] Utmedge connected to R70 SPLAT logging problem >>> >>> >> >>> >>> >> Hi , >>> >>> >> thanks for the advice but i have to do the fix by myself, i cant >>> >>> >> hire >>> >>> >> someone for this. Let me explain the situation more simple. >>> >>> >> >>> >>> >> I have an R70 SPLAT box and and utm-1edge box (7.5.5 firmware). I >>> >>> >> want to connect and manage the edge from R70. But the edge is not >>> >>> >> sending logs to the R70, i cant see them on smartviewtracker. My >>> >>> >> edge >>> >>> >> logs seem to be lost. thats the problem. >>> >>> >> Regards >>> >>> >> >>> >>> >> 2010/9/29, Hugo van der Kooij <[email protected]>: >>> >>> >>> On Wed, 29 Sep 2010 16:57:55 +0300, a bv <[email protected]> >>> >>> wrote: >>> >>> >>>> Which parts of my mail came non-understandable to you? Then let >>> >>> >>>> me >>> >>> >>>> explain again. >>> >>> >>> >>> >>> >>> Well just about everything? And on a mailinglist like this if it >>> >>> >>> is >>> >>> >> hard >>> >>> >>> to read I loose all interrest I simply can''t be bothered to >>> >>> >>> invest >>> >>> >>> my >>> >>> >> own >>> >>> >>> time into translation issues. >>> >>> >>> >>> >>> >>> As no one else answered the question as well my advice remains to >>> >>> >> actually >>> >>> >>> pay for someone to make this work. If there is a business need >>> >>> >>> then >>> >>> >> there >>> >>> >>> is a valid reason to hire someone to do the job. >>> >>> >>> >>> >>> >>> Hugo. >>> >>> >>> >>> >>> >>> -- >>> >>> >>> [email protected] http://hugo.vanderkooij.org/ >>> >>> >>> PGP/GPG? Use: http://hugo.vanderkooij.org/0x58F19981.asc >>> >>> >>> >>> >>> >>> Scanned by Check Point Total Security Gateway. >>> >>> >>> >>> >>> >>> ================================================= >>> >>> >>> To set vacation, Out-Of-Office, or away messages, >>> >>> >>> send an email to [email protected] >>> >>> >>> in the BODY of the email add: >>> >>> >>> set fw-1-mailinglist nomail >>> >>> >>> ================================================= >>> >>> >>> To unsubscribe from this mailing list, >>> >>> >>> please see the instructions at >>> >>> >>> http://www.checkpoint.com/services/mailing.html >>> >>> >>> ================================================= >>> >>> >>> If you have any questions on how to change your >>> >>> >>> subscription options, email >>> >>> >>> [email protected] >>> >>> >>> ================================================= >>> >>> >>> >>> >>> >> >>> >>> >> Scanned by Check Point Total Security Gateway. >>> >>> >> >>> >>> >> ================================================= >>> >>> >> To set vacation, Out-Of-Office, or away messages, >>> >>> >> send an email to [email protected] >>> >>> >> in the BODY of the email add: >>> >>> >> set fw-1-mailinglist nomail >>> >>> >> ================================================= >>> >>> >> To unsubscribe from this mailing list, >>> >>> >> please see the instructions at >>> >>> >> http://www.checkpoint.com/services/mailing.html >>> >>> >> ================================================= >>> >>> >> If you have any questions on how to change your >>> >>> >> subscription options, email >>> >>> >> [email protected] >>> >>> >> ================================================= >>> >>> >> >>> >>> >> Scanned by Check Point Total Security Gateway. >>> >>> >> Scanned by Check Point Total Security Gateway. >>> >>> >> >>> >>> >> ================================================= >>> >>> >> To set vacation, Out-Of-Office, or away messages, >>> >>> >> send an email to [email protected] >>> >>> >> in the BODY of the email add: >>> >>> >> set fw-1-mailinglist nomail >>> >>> >> ================================================= >>> >>> >> To unsubscribe from this mailing list, >>> >>> >> please see the instructions at >>> >>> >> http://www.checkpoint.com/services/mailing.html >>> >>> >> ================================================= >>> >>> >> If you have any questions on how to change your >>> >>> >> subscription options, email >>> >>> >> [email protected] >>> >>> >> ================================================= >>> >>> >> >>> >>> >>> >>> *************************************************************************** >>> >>> >> The information contained in this communication is confidential, is >>> >>> >> intended only for the use of the recipient named above, and may be >>> >>> >> legally >>> >>> >> privileged. >>> >>> >> >>> >>> >> If the reader of this message is not the intended recipient, you >>> >>> >> are >>> >>> >> hereby notified that any dissemination, distribution or copying of >>> >>> >> this >>> >>> >> communication is strictly prohibited. >>> >>> >> >>> >>> >> If you have received this communication in error, please resend >>> >>> >> this >>> >>> >> communication to the sender and delete the original message or any >>> >>> >> copy >>> >>> >> of it from your computer system. >>> >>> >> >>> >>> >> Thank You. >>> >>> >> >>> >>> >>> >>> **************************************************************************** >>> >>> >> >>> >>> >> >>> >>> >> Scanned by Check Point Total Security Gateway. >>> >>> >> >>> >>> >> ================================================= >>> >>> >> To set vacation, Out-Of-Office, or away messages, >>> >>> >> send an email to [email protected] >>> >>> >> in the BODY of the email add: >>> >>> >> set fw-1-mailinglist nomail >>> >>> >> ================================================= >>> >>> >> To unsubscribe from this mailing list, >>> >>> >> please see the instructions at >>> >>> >> http://www.checkpoint.com/services/mailing.html >>> >>> >> ================================================= >>> >>> >> If you have any questions on how to change your >>> >>> >> subscription options, email >>> >>> >> [email protected] >>> >>> >> ================================================= >>> >>> >> >>> >>> > >>> >>> >>> >>> Scanned by Check Point Total Security Gateway. >>> >>> >>> >>> ================================================= >>> >>> To set vacation, Out-Of-Office, or away messages, >>> >>> send an email to [email protected] >>> >>> in the BODY of the email add: >>> >>> set fw-1-mailinglist nomail >>> >>> ================================================= >>> >>> To unsubscribe from this mailing list, >>> >>> please see the instructions at >>> >>> http://www.checkpoint.com/services/mailing.html >>> >>> ================================================= >>> >>> If you have any questions on how to change your >>> >>> subscription options, email >>> >>> [email protected] >>> >>> ================================================= >>> >>> >>> >> >>> >> >>> > >> >> >
Scanned by Check Point Total Security Gateway. ================================================= To set vacation, Out-Of-Office, or away messages, send an email to [email protected] in the BODY of the email add: set fw-1-mailinglist nomail ================================================= To unsubscribe from this mailing list, please see the instructions at http://www.checkpoint.com/services/mailing.html ================================================= If you have any questions on how to change your subscription options, email [email protected] ================================================= Scanned by Check Point Total Security Gateway.
