Firewall log unification scheme error

[achillesheel]

All,

I have a firewall module NG AI R55 managed by HA SMARTCenter servers (NG AI R55) . Lets assume
SC2 is active
SC1 is standby

On firewall object, log servers are defined in the order SC2, SC1 and "Define Log Servers" radio button is selected. Local logging is turned off.

whereas on /var/opt/CPfw-R55/conf/masters file log servers are defined in the order SC1, SC2 with names.

Firewall is not logging to either of the SC. When I ran "fw log" on module, I get the following error message
Unable to read unification scheme file ' (Default scheme) ' .
fw monitor or tcpdump shows nothing going out on 257.
Telnet to SC on port 257 is successful.
SIC is communicating. I can install policy on firewall
This was working until 2nd January and all of a sudden stopped. I dont have any audit logs as well to see what happened on that day. Im trying to see any syslogs related to this. Also I dont see any manual name resolution entries on /etc/hosts file for the SC names, not sure how firewall resolves the SC names. This is a production firewall hence I wont be able to afford to do any cprestart for now just to see if that resolves.

Firewall details

Module : CP NG AI R55 on Nokia IP box
SC (both) : CP NG AI R55 on Windows machine

Any help is greatly appreciated.

[lammbo]

R55 in production... Really?!?

Man, you seriously need to upgrade. That product is EOL.

Aside from that, why exactly can't you reboot because it's in production? It's an HA cluster and therefore rebooting one gateway will just make you run on the other one - that's the entire reason to do HA. You should be able to bounce back and forth all day long and most people wouldn't even notice. That's the whole point of state sync.

Just reboot the standby first and then when it comes back online into the cluster, reboot the primary.

[achillesheel]

Hi Lammbo,

Yes R55 is production, we are pushing for the upgrade sooner. Meanwhile I faced this issue which i have to get it resolved asap.
Firewall is not HA but the SMART Center and I mentioned I cant afford reboot/cprestart unless and otherwise no technical explanation/solution is available. I have to convince the client on that point. Hence requesting if any one of you have come across this error before.
Check Point usercenter says the unified log file isnt generated but no solution is given.

[doron.linder]

Hi achillesheel,

In $FWDIR/conf there should be a couple of log unification files definitions. One for Tracker (and fw log command), one for LEA and one for Reporter. The one you seem to be missing is log_unification.C.
I'd try to back it up if it exists and copy this file from another R55 gateway you have. Then restart FWD using cpwd_admin.

Doron Linder
Logging Matters - Check Point Logging Related Services