Checkpoint not logging to SmartCenter Server

[fazrul]

Hi,
I have the following problem with Checkpoint logging.

Here are details of my installation:
Unit 1:
NGX R61 running on Secure Platform
Installed with Checkpoint VPN-1 Express, SmartCenter Server and Eventia Reporter

Unit 2:
NGX R61 running Secure Platform
Installed with Checkpoint VPN-1 Express (enforcement gateway/module)
SIC configured and unit 1 and unit 2 working properly (rules, NAT, etc) can be configured.

Problem:
Unit 2 is not pushing logs to unit 1 (which is also the log server).

Detailed description:
1. I have 2 checkpoint installations. One is installed with VPN-1 Express and SmartCenter Server (plus eventia reporter). The other is installed with only VPN-1 Express (enforcement module installation). This second unit is be managed by the first unit. When the second unit was installed, I have defined the SIC and communication between these 2 units are fine. I am able to push the rules, etc from the SmartCenter to this enforcement gateway.

2. However, the enforcement gateway is not sending its logs to the SmartCenter. I have checked the settings in the enforcement gateway’s properties and its Additional Logging, Masters and Log Servers settings are already pointing to the Smart Center (this was automatically added during the installation of the enforcement module). However, the logs are not being sent to the SmartCenter. This causes me not able to use Eventia Reporter to generate reports for the enforcement gateway’s network traffic.

3. I have checked the knowledgebase and followed the guide explained in this page: https://secureknowledge.checkpoint.c....do?id=sk30891 but it does not work (I know that this article does not apply specifically to my case but the symptoms are similar).

4. My main concern is that I have installed Eventia Reporter in the SmartCenter Server (unit 1) and I would like to create reports for network traffic that goes through the second unit (enforcement module/gateway). But since the log of the second unit is not sent to the main unit, the report generation fails (No Relevant Data when I generate the report).

5. Communication between the main checkpoint and the enforcement gateway is not restricted (2 units are separated by a router and all traffic is allowed between these 2 units).

6. I have also checked the Global Properties as mentioned by the article in (2) but it does not help.

What else can I do to make sure the log is saved into the SmartCenter server (unit 1)? Thanks.

[kva.kva]

Check this KB - http://secureknowledge.checkpoint.co....do?id=sk26214
May it will be helpful.

[fazrul]

I can't access it as I do not have Checkpoint Enterprise Support contract.

[northlandboy]

From the gateway, telnet to the management server on port 257, just to confirm that works as expected.

Run fw monitor for a while, looking for anything going to tcp/257. See if the module is actually generating any info or not.

Run fw log at the command line on the module, to get the logs dumped into text. Then you can search through them, to see if there is anything related to logging in there.

Occasionally logging gets a bit confused, and you need to do a cpstop;cpstart on the module to get it to start logging again. Have you tried that?

[kva.kva]

Also check correct name resolution for module and smartcenter.
Check that names from $FWDIR/conf/masters are resolved on module, sometimes it's important.
Check Logs and Masters settings in object properties.
If all parameters are correct, try to reestablish SIC.

[fazrul]

Hi,
I tested as you mentioned. The TCP port 257 is running in the SmartCenter server (also a VPN-1 Express). However, there were no traffic from the enforcement module to the smartcenter at port 257. So I tried cpstop and cpstart. Here is the result that I got which was interesting:

On the enforcement module:

Fetching Security Policy from: 192.168.0.111
Reason: TCP connectivity failure (port=18191)(IP=192.168.0.111)[Error 10]
Policy Fetch Failed
Failed to fetch policy from masters in masters file at this point

Question: Why is the enforcement module fetching its security policy from 192.168.0.111?

Here is a better discription of our devices:

Unit 1 (VPN-1 Express and Smart Center)
eth0: 172.16.12.250
eth3: 192.168.0.111 (connected to router for Internet access)

Unit 2 (VPN-1 Express)
eth0: 172.16.11.250
eth1: 192.168.10.20

eth0 of both devices are connected via a router.

172.16.11.250---172.16.11.254/172.16.12.254---172.16.12.250

So all communication between these 2 devices take place between these 2 interfaces (172.16.11.250 and 172.16.12.250). All rules are pushed from smartcenter to enforcement module using this connection.

So going back to the error message that I got when I stopped and started the services, the question is: Why is the enforcement module looking for 192.168.0.111 when it should be looking for 172.16.12.250?

At this moment, to temporarily overcome this logging issue, I have added a static route in enforcement module so that it can communicate with the WAN interface of SmartCenter server (192.168.0.111) and it is now able to push all of its log in the master unit. But is there anyway for me to force the enforcement module to fetch its security policy from 172.16.12.250 (I want it to push all the log to 172.16.12.250)?

Anyway, thanks a lot as your advise did help me solve this issue somewhat.

[abusharif]

1) check on the firewall object in checkpoint gui which machine is set as logserver and master. This should be your management station

2) check $FWDIR/conf/masters file. This file defines where to send logs/fetch policy from. Name for objects in that file are checkpoint-object-names. Check that your fw module can resolve/find this name in the file as kva.kva mentioned above. (this file actually contains the config from point 1 above but in text mode).

[JeffN]

Sorry to bring up an old post, but this is sounding very familiar. Fazrul, did you ever get a fix for this?

We have two firewall enforcement modules running FP3.
Firewall 1:
External side IP: 203.x.x.2
Internal: 10.1.1.1/24
Other interfaces for DMZ etc

Firewall 2: (Different site, no actual connection to the internet)
"External" IP: 10.90.1.1 (to another unmanaged site)
Internal IP: 10.9.1.1 (Direct route to Internal network of firewall 1)

Management server: (Physically located on the same network as firewall 1)
IP: 10.1.2.20 /24
Also has a static NAT rule for 203.x.x.90 - According to the dashboard, installed on Firewall 1 only.

Logs from firewall 1 are being correctly sent to the management server/log server.
Logs for firewall 2 are being sent to 203.x.x.90, which is the NATed address of the management server.

The masters file on firewall 2 correctly lists the name of the management server, and I can ping it using the internal (Non-NATed) address.
/etc/hosts lists the name of the management server and the internal IP.

I have set the Masters/log servers in the dashboard to "use local definitions", as well as defining them manually.

I have also tested entering the IP address of the management server into $FWDIR/conf/masters of firewall 2 as the log server, but to no avail.

Several cpstop/cpstart have been done, each time getting a message that loading a local policy was successful, then attempting to load a policy from 203.x.x.90 failed.

I have not tried a reboot of the firewall yet, but will try this in the next few days. (Though do not see why this would be needed and am happy to be proven wrong if there is a reason.)

I have been told that our support provider has looked at it, but gave up after a while. (It was before my time, and I do not think that they tried too hard)

It is not too critical that this gets resolved, as logs do get saved locally on firewall 2, but it would be nice to get this fixed if someone can offer a suggestion.

[ccnpding]

JeffN,
pls have a try to go to SC's TCP/IP settings and untick the "CheckPoint FW1/VPN".

Hope it works.