8/12/2019 Troubleshooting Check Point Logging Issues When Management Server is Not Receiving Logs From Security Gatew

1/2

1/22/2014 Troubleshooting Check Point logging issues when Management Server is not receiving logs from Security Gateway

https://supportcenter.checkpoint.com/supportcenter/portal?eventSubmit_doGoviewsolutiondetails=&solutionid=sk40090 1/2

Print Email

Troubleshooting Check Point logging issues when Management Server is not receiving logsfrom Security Gateway

Solution ID : sk40090Product: Security Gateway, Security ManagementVersion: AllDate Created: 14-Apr-2009Last Modified: 09-Dec-2012

Rate this document

[1=Worst,5=Best]

SOLUTION

When troubleshooting logging related issues in a distributed se tup, proceed as follows:

0. Select Policy --> Install Databa se --> Select the Manage ment Server to insta ll databas e on --> Click "ok" an d policyis installed.

1. Ensure that you have not run out of disk space on the ha rd disk that the logs are being sent to. If this is the case,delete or move the logs to an external storage device.

2. Is there communication between the Management Server and the Securit y Gateway? Te st by pinging to theManagement Server from the Security Gateway and then from the Security Gateway to th e Management Server (yourrules must allow for this). If this fails, and your rules a llow for this, then it is most likely a routing issue.

3. Check to see if the fw.log file is grow ing on the Security Gatew ay. It should be, if the logs are n ot going to theManagement Server. From the console run these commands:

cd $FWDIR/log

ls -la

ls -la

Verify that th e fw.log file is increas ing. If it is increas ing then th e Security Gatewa ys are log ging locally inste ad of forwarding the traffic to the Management Server. This could be a connectivity issue, or it could be the way the loggingis se tup. Check the S ecurity Gateway object to ensure it is se tup to se nd logs to the Management Server.

4. C an you fet ch a polic y? Verify that you can fetch using the hostname and IP address. If this fails, then you probablyhave a SIC issue. To test this run the following commands:

fw fetch hostname_of_MS

fw fetch IP_Addr_of_MS (fetch by IP address also to ens ure it is not a DNS iss ue)

5. Check the masters file. The hostname or IP address of the Management Server should be listed there. To check, runthe following commands:

cd $FWDIR/conf

cat masters

The output should look like this:

[Policy]

hostname_of_Management_Server

[Log]

hostname_of_Management_Server

[Alert]

hostname_of_Management_Server

6. Run tcpdumps on the Security Gateway, listening for port 257 on the interface facing the Management Server, tosee if it is atte mpting to send logs. To check this, run the following command:

tcpdump -i eth-facing-MS port 257 (use the Ctrl+C to break out of the dump)

You should see traffic leaving the Security Gateway and he ading to the IP address o f the Management Server.

Welcome MTN Security Team | Logout

Support Center > Sea rch Re sults > SecureKnowledge Details

Expert Access

Live ChatStart Chat Now

Service RequestsCreate Service Request

My Service Requests

Contact Us

STAY UP TO DATE

Get weekly email notificationson support related updates.

SUGGESTEDSOLUTIONS

People that viewed this solutionalso viewed:

1. SSL Network Extender -Java Availability

2. Performance analysis forSecurity Gateway NGX R65 /R7x

3. Removing old Check Pointpackages and files after anupgrade on SecurityGateway /...

Search

https://supportcenter.checkpoint.com/supportcenter/portal?eventSubmit_doGoviewsolutiondetails=&solutionid=sk91060https://supportcenter.checkpoint.com/supportcenter/portal?eventSubmit_doGoviewsolutiondetails=&solutionid=sk33781https://supportcenter.checkpoint.com/supportcenter/portal?eventSubmit_doGoviewsolutiondetails=&solutionid=sk65144https://supportcenter.checkpoint.com/supportcenter/portal?eventSubmit_doHomehttps://supportcenter.checkpoint.com/supportcenter/portal?eventSubmit_doHome=&js_peid=nullhttps://supportcenter.checkpoint.com/supportcenter/portal?eventSubmit_doSearchresult=&js_peid=nullhttps://supportcenter.checkpoint.com/supportcenter/portal?eventSubmit_doGoviewsolutiondetails=&solutionid=sk91060https://supportcenter.checkpoint.com/supportcenter/portal?eventSubmit_doGoviewsolutiondetails=&solutionid=sk33781https://supportcenter.checkpoint.com/supportcenter/portal?eventSubmit_doGoviewsolutiondetails=&solutionid=sk65144https://supportcenter.checkpoint.com/supportcenter/portal/role/supportcenterUser/page/default.psml/media-type/html?action=portlets.SCNotificationAction&eventSubmit_doRedirectnotificationspage=http://www.checkpoint.com/services/contact/index.htmlhttps://usercenter.checkpoint.com/usercenter/portal?action=UCPreLogin&SRShow=truehttps://usercenter.checkpoint.com/usercenter/portal?action=UCPreLogin&SRCreate=truehttps://supportcenter.checkpoint.com/supportcenter/portal?eventSubmit_doHomehttps://supportcenter.checkpoint.com/supportcenter/portal?eventSubmit_doSearchresult=&js_peid=nullhttps://supportcenter.checkpoint.com/supportcenter/portal?eventSubmit_doHome=&js_peid=nullhttps://supportcenter.checkpoint.com/supportcenter/portal?eventSubmit_doHome=&js_peid=nullhttps://usercenter.checkpoint.com/usercenter/portal/media-type/html/role/usercenterUser/page/default.psml/js_pane/homeId%2CfaqId?lang=0https://usercenter.checkpoint.com/usercenter/portal/action/UCJLogoutUserhttp://www.checkpoint.com/index.htmlmailto:?subject=Check%20Point%20SecureKnowledge%20Solution&body=Solution%20Title:%20Troubleshooting%20Check%20Point%20logging%20issues%20when%20Management%20Server%20is%20not%20receiving%20logs%20from%20Security%20Gateway%0D%0ASolution%20ID:%20sk40090%0D%0ASolution%20Link:%20https://supportcenter.checkpoint.com/supportcenter/portal?eventSubmit_doGoviewsolutiondetails%3D%26solutionid%3Dsk40090%20%20%20%20%0D%0A-------------------------------------------------------------%20%0D%0AFor%20Disclaimer%20of%20Warranty%20and%20Copyright%20info:%20http://www.checkpoint.com/copyright.htmlhttps://supportcenter.checkpoint.com/supportcenter/portal/media-type/html/role/supportcenterUser/page/print.psml?action=portlets.SearchResultMainAction&eventSubmit_doPrintsolution=&solutionid=sk40090

8/12/2019 Troubleshooting Check Point Logging Issues When Management Server is Not Receiving Logs From Security Gatew

2/2

1/22/2014 Troubleshooting Check Point logging issues when Management Server is not receiving logs from Security Gateway

https://supportcenter.checkpoint.com/supportcenter/portal?eventSubmit_doGoviewsolutiondetails=&solutionid=sk40090 2/2

You should also see traffic coming back from the Management Server.

7. The log file may have gotten corrupted. Run a log s witch on the Management Server and reboot the Manage mentServer to create a new log file. If log switch does not work, move all contents of the log directory ( do not move thedirectory itself ) to a temp folder outside of the log directory. Reboot and se e if the logs start again.

8. Delete the $FWDIR/log files and $FWDIR/state directory files on the Security Gateway; reboot the Security Gateway.

Reboot and se e if the logs start again.

9. Look to see if there is a listening port for logging. Run the following command on the Management Server and theSecurity Gateway:

netstat -na

You should see the *.257 LISTEN for logging connections. You should also see the IP address of the Manage mentServer :257 associated with the IP address of each Security Gateway, and showing an ESTABLISHED connection.

10. Check the log se ttings for the Security Gateway object and make s ure the 'Log Server' is set to the ManagementServer that should be receiving the logs. This is usually done by default, but may have bee n changed by a us er.

If after going through these steps you are still experiencing logging issues, please contact Check Point Support forfurther troubleshooting.

This solution has been verified for the specific scenario, described by the combination of Product, Version and Sy mptoms. Itmay not work in other scenarios.

Give us Feedback

Rate this document[1=Worst,5=Best]

Characters left: 2000

Submit

2014 Che ck Point Software Te chnologies Ltd. All rights reserved.

Check Point Software Techno logies, In c. is a wholly ownedsubsidiary of Check Point Software Technologies Ltd.

Additional comments... (Max 2000 characters allowed)

http://www.checkpoint.com/index.htmlhttp://www.checkpoint.com/services/contact/index.html