Smartcenter port 257 not open

[anakalem]

Hi All,

I have smartcenter based on R65 and other firewalls using nokia and CP R55, and R60.
currently all the firewalls under that Smartcenter cannot send log via port 257 to firewall. if i telnet the port 257 from the firewall to Smartcnter, it said that connection refused.

i have restarted smartcenter using cpstop and cpstart, still have the same problem.

What the proper workaround and logs for this problem.

Need advise please

thank you

regards
Kalem

[Danielpb]

I would first check your rulebase to make sure you have all you firewall mgmt rules in places. You might also want check and confirm all your Natting is correct. I take it you can push a rule change with out any issues?

[anakalem]

Hi

Yes, i can do all management with no errors, only the firewall cannot send the logs since the smartcenter refused it. And it happen suddenly.
What service that related to port 257? or logs that related to it?

Thank you

regards

kalem

[Danielpb]

Can you confirm the OS the SmartCenter is running on?

Also I very much doubt the Smartcenter it's self is not accepting the logs it's more then likely the firewall protecting it. (You could confirm this with a Tcpdump on the firewall to make sure the firewall is receiving the packets)

You could always revert back to a Database revision (if created) to see if this solves your issue.

Could you give a brief layout of the firewall topology?

[anakalem]

Hi,
it is distributed installation. i have 3 firewalls and 1 smartcenter in separate machine. all 3 firewalls log locally since cannot send the log to smartcenter.
simplest tets i've done is login to firewall and do telnet port 257 to smartcenter, and the connection got refused by smartcenter.

I have another set of firewall and smartcenter (different from the first one), and i tried from there the smartcenter accepting port 257 request.

thanks

regards

kalem

[anakalem]

hi all,

i found that the firewall sent the log to smartcenter. i sniff in the smartcenter's interface and there is traffic 257 from the firewalls, but the smartcenter refect it. In the TCP Dump, after Syn, the Smartcenter sent reset to firewall.

Anyone ever had the same problem?

advise please...

thank you

regards

Kalem

[Danielpb]

You could try a resetting SIC.
Seems odd that the SmartCenter is rejecting the packets. I assume you have no other software running on the SmartCenter which would drop the traffic?

[mcnallym]

Sounds like the fw_log service has stopped. I would perform a cprestart on the smartcenter to restart the check point services.

fw_log is the service name for tcp257.

I take it that under Global Properties the Accept Control Connections is still ticked.

[anakalem]

HI All, thank you for all your response...
yes it is weird, but now it's working again. What i did is restart the smartcenter server (not cpstop and cpstart, but reboot the server).

Since many logs left in my firewalls, how can i transfered and merge into other logs in the Smartcenter?

What i am thinking is:
1. FTP All the logs and dump it into the smartcenter server
2. run cpmerge for merging the logs.

Any other ideas?

Thanks

Kalem

[chuachongchee]

Quote:

Originally Posted by anakalem

HI All, thank you for all your response...
yes it is weird, but now it's working again. What i did is restart the smartcenter server (not cpstop and cpstart, but reboot the server).

Since many logs left in my firewalls, how can i transfered and merge into other logs in the Smartcenter?

What i am thinking is:
1. FTP All the logs and dump it into the smartcenter server
2. run cpmerge for merging the logs.

Any other ideas?

Thanks

Kalem

No need to do anything... once connectivity is restored, the firewall will resend all the logs to the smartcenter...

[anakalem]

Hi

Yes, from my previous understanding, it should be like that. Firewall will send locally-dumped logs automatically to SMartcenter when connection restored. But it doesn't. the logs stay in my firewall and not transfered to my Smartcenter. :(

My log and master setting, i dont use "define locally" but i select the log server manually. is it a good idea?

Thank you

regards
Kalem

[chuachongchee]

hmmm.. i use the send logs to Pri SCS... if unreachable.. Sec SCS...

Also, for SCS, please do not define any interfaces in the topology tab.. i once had put the eth0 inside and the logging stopped working.. lol