Logging

[tkalas]

Hi Guys,

what happens when the manager disk space is filled up 100% with logs?..is this a very critical issue or will it just delete old logs?

What I really wantto know is what effect does it have on the enforcement modules?

Thanks

[melipla]

My guess is, the smartcenter server dies, the enforcement gateways log locally until the smartcenter server is brought back online. That's for distributed. I shudder to think what happens if you're not distributed...

[tkalas]

Thanks for your reply Melipla. I guess 2 questions come out of this;

1. Does the server 'die' when the hardisk is filled with logs?
2. What happens if the enforcement modules hardisk become filled with logs as a result of losing connections to the server?

A cisco firewall will just delete the oldest log and replace with the newest when faced with a similar situation. A colleaque mentioned that a checkpoint firewall will fail in this situation...i don't believe its true hence the need for clarity.

Your response(s) will be highly appreciated.

[melipla]

Quote:

Originally Posted by tkalas

A cisco firewall will just delete the oldest log and replace with the newest when faced with a similar situation. A colleaque mentioned that a checkpoint firewall will fail in this situation...i don't believe its true hence the need for clarity.

I've never seen a CP firewall with its disk full but my guess is that the CP management and enforcement servers would fail if that were to happen. The primary reason is that Cisco has a finite amount of disk space, they've been forced to address the "disk full" problem. Whereas CP has a variable amount of space & any good CP admin would manage their firewall / management server so that this situation did not occur.

[phoenix_ikki]

Quote:

Originally Posted by tkalas

Hi Guys,

what happens when the manager disk space is filled up 100% with logs?..is this a very critical issue or will it just delete old logs?

What I really wantto know is what effect does it have on the enforcement modules?

Thanks

The Smartcenter will still working normal but the logging will be written directly to the enforcement module (something which I prefer not to happen). To avoid this usually I set up the Log files and disk space management and order it to rewrite the old files when disk is full (in Smartcenter server Properties).

[mcnallym]

I have seen a CP Firewall fill it's disk with logs, when a customer had failed to note that connectivity lost to the SMARTCenter and started logging locally.

The CP Firewall will fail and stop processing traffic if it's disk fills up.

[srahman]

Hello, Please can someone help.

This query doesn't really relate to the above title, but I am looking to move the logs on a Windows NGX server to a differrent disk on the same server. Can anyone please tell me how to point the logging to another diskspace (i.e D:\ drive) instead of it's default on C:\...

Thank you.

kind regards,
Shaz

[dbrown3611]

A 3rd party support vendor provided me this procedure for a Win2003 box:

1. Add to registry a new string value of FWLOGDIR under the following registry location:
2.
FireWall-1 NG and NGX:

HKEY_LOCAL_MACHINE\SOFTWARE\CheckPoint\FW1\5.0

3. Create a new directory (for example C:\MyLogs) and define a String value named FWLOGDIR containing the log path (C:\MyLogs) under HKEY_LOCAL_MACHINE\SOFTWARE\CheckPoint\FW1\5.0

Note: The target path directory must exist prior to modifying the registry. In NGX, you should enter "6.0" in the path mentioned, instead of "5.0".

4. Reboot server.

[cciesec2006]

Quote:

Originally Posted by tkalas

Thanks for your reply Melipla. I guess 2 questions come out of this;

1. Does the server 'die' when the hardisk is filled with logs?
2. What happens if the enforcement modules hardisk become filled with logs as a result of losing connections to the server?

A cisco firewall will just delete the oldest log and replace with the newest when faced with a similar situation. A colleaque mentioned that a checkpoint firewall will fail in this situation...i don't believe its true hence the need for clarity.

Your response(s) will be highly appreciated.

Cisco Firewall is "flash-based" technology and the log will be overwritten with
new one, depending on how much logging buffer size you set for it.

[srahman]

Quote:

Originally Posted by dbrown3611

A 3rd party support vendor provided me this procedure for a Win2003 box:

1. Add to registry a new string value of FWLOGDIR under the following registry location:
2.
FireWall-1 NG and NGX:

HKEY_LOCAL_MACHINE\SOFTWARE\CheckPoint\FW1\5.0

3. Create a new directory (for example C:\MyLogs) and define a String value named FWLOGDIR containing the log path (C:\MyLogs) under HKEY_LOCAL_MACHINE\SOFTWARE\CheckPoint\FW1\5.0

Note: The target path directory must exist prior to modifying the registry. In NGX, you should enter "6.0" in the path mentioned, instead of "5.0".

4. Reboot server.

=====================

Thank you very very much :)