SmartView Tracker not receiving logs

[mjoc27x]

I have a problem between an enforcement module and a smartcenter server. The Enforcement Module appears to be connecting to the SmartCenter and sending the logs, but they're not showing up in Smartview Tracker or being recorded in the log directory on the SmartCenter.

There is a Cisco PIX between the two servers (sorry, so unpatriotic) on which I can see a connection on port 257/tcp (syn, syn-ack, some data and fin packets). I can see the session in netstat on both servers. So it appears to me that the log should be working, but it isn't. All I've got in the log on the smartcenter are messages from the smartcenter itself.

The log on the Enforcement module is working -- i can see it using 'fw log', but I really need to see it in the Smartcenter.

I can retrieve log files from the CLI (fw fetchlogs), but not from the SmartTracker GUI -- it aborts immediately.

I'm not seeing any traffic being blocked on the PIX.

Any ideas anyone? Any help greatly appreciated.

Mike.

[kva.kva]

Does fw.log on SmartCenter increase?

Try to "Install database" on SmartCenter object from SmartDashboard client.

[Youngy]

I have a case open with CP at the moment in relation to this issue. But you appear to be past the issue I have as we don't seem to be able to get any thing going over 257.

The masters file is set correctly I can ping the object Ip that logging is addressed to in the config by name and IP from the enforcement point still know joy.

I'll hopefully pick up some tips from this thread!

[ddarby1]

Hi,

Just a thought, but I'd start by ruling out the PIX completely if possible. I don't know the configuration on your PIX, but its likely to be NATing the connection between the enforcement module and the management/log server and I was wondering if that might be causing the problem?

I'd try using the 'nat 0' command on the PIX for the required traffic or temporarily replace it with a router to confirm or eliminate it as the cause of the problem.

[ddarby1]

Hi again,

I had a quick go on what I presume is a similar configuration: it worked using the 'nat 0' command on the PIX for both the Management/Log Server and the Enforcement Module (causing the PIX to perform like a router).

Other than that, an access-list was required to let tcp/257 through from the enforcement module to the Smart Center (the E/Module was on the PIX's outside interface and the Smart Center server on the inside).

The final thing would be to make sure routing is setup properly on all 3 parties, but it sounds like you had that configured properly anyway.

Does this reflect your config at all?

S/W used: PIX OS 6.3(5), Check Point NGX

[mjoc27x]

Quote:

Just a thought, but I'd start by ruling out the PIX completely if possible. I don't know the configuration on your PIX, but its likely to be NATing the connection between the enforcement module and the management/log server and I was wondering if that might be causing the problem?

I'd try using the 'nat 0' command on the PIX for the required traffic or temporarily replace it with a router to confirm or eliminate it as the cause of the problem.

The traffic is definately passing through the PIX, I can see it with a 'debug packet'. The nat 0 has been in place and working for a while.
and unfortunately it's too 'live' to replace the PIX with a router.

Quote:

Does fw.log on SmartCenter increase?

Yes, but only by a tiny amount due to the entries generated by the SmartCentre itself.

Quote:

Try to "Install database" on SmartCenter object from SmartDashboard client.

Just tried that - no better, I'm afraid.

Thank you for you help so far.
Mike.

[mjoc27x]

Quote:

Originally Posted by ddarby1

Does this reflect your config at all?

S/W used: PIX OS 6.3(5), Check Point NGX

It's PIX 6.3(3) and CP NG with AI R55W.

Cheers,
Mike.

[mjoc27x]

Fixed, but not entirely happy with the solution:

At some point, I had un-ticked the Checkpoint option in the list of components for the network card on the SmartCentre server. When I ticked this it killed my remote access (MS Terminal Services) but started logging. I then configured the SmartCentre to be a Firewall as well as a SmartCenter and Log server, defined a couple of rules for remote access to it and it all worked -- logging and remote admin access.

Now the question is - Why? Can't you have a SC or log server that isn't also a firewall?

Answers on a postcard to the usual address please.

Thank you once again for all your time, effort and suggestions.

Mike.

[Youngy]

Hi,

You should not have to have the smartcentre server set as a firewall object as well for loggin to occur. But then again this is checkpoint and nothing is really that surprising...........:)

[kranti]

Hi Young,

I am facing the same problem which you have faced.
My problem is

my CP management server receives logs from a all FW enforcement points. All appears to be working correctly, but for one enforcement point not showing any logs or traffic in the tracker.

The enforcement point is set to send logs to the menegement server, it can oing the management server and so on. The enforcement point is a Nokia ISPO ip 300 .

can you please help me out with the solution.

[chillyjim]

Quote:

Originally Posted by kranti

can you please help me out with the solution.

take a look at a fw monitor to see if the logs are making it:

fw monitor -e 'accept src=<ip of gateway> or dst=<ip of gateway>;'

[Wonzling]

I had the same problem, that the SmartView Tracker wasn't showing any log files. The problem was resulting from a policy that I imported from another Checkpoint-Firewall via the upgrade_tools on the command line. Afterwards the interfaces (which were basically the same, but had different names) couldn't be routed to.

After a simple 'Get Topology' under topology in the Checkpoint Object in the Dashboard the interfaces were named correctly and the logs started showing up in the tracker again.

Hope this is of some help to you guys.

cheers from Austria

W.