1/22/2014 Troubleshooting Check Point logging issues when Management Server is not receiving logs from Security Gateway

https://supportcenter.checkpoint.com/supportcenter/portal?eventSubmit_doGoviewsolutiondetails=&solutionid=sk40090 1/2
Print Email
Troubleshooting Check Point logging issues when Management Server is not receiving logs
from Security Gateway
Solution ID: sk40090
Product: Security Gateway, Security Management
Version: All
Date Created: 14-Apr-2009
Last Modified: 09-Dec-2012
Rate this document
[1=Worst,5=Best]
SOLUTION
When troubleshooting logging related issues in a distributed setup, proceed as follows:
0. Select Policy --> Install Database --> Select the Management Server to install database on --> Click "ok" and policy
is installed.
1. Ensure that you have not run out of disk space on the hard disk that the logs are being sent to. If this is the case,
delete or move the logs to an external storage device.
2. Is there communication between the Management Server and the Security Gateway? Test by pinging to the
Management Server from the Security Gateway and then from the Security Gateway to the Management Server (your
rules must allow for this). If this fails, and your rules allow for this, then it is most likely a routing issue.
3. Check to see if the fw.log file is growing on the Security Gateway. It should be, if the logs are not going to the
Management Server. From the console run these commands:
cd $FWDIR/log
ls -la
ls -la
Verify that the fw.log file is increasing. If it is increasing then the Security Gateways are logging locally instead of
forwarding the traffic to the Management Server. This could be a connectivity issue, or it could be the way the logging
is setup. Check the Security Gateway object to ensure it is setup to send logs to the Management Server.
4. Can you fetch a policy? Verify that you can fetch using the hostname and IP address. If this fails, then you probably
have a SIC issue. To test this run the following commands:
fw fetch hostname_of_MS
fw fetch IP_Addr_of_MS (fetch by IP address also to ensure it is not a DNS issue)
5. Check the masters file. The hostname or IP address of the Management Server should be listed there. To check, run
the following commands:
cd $FWDIR/conf
cat masters
The output should look like this:
[Policy]
hostname_of_Management_Server
[Log]
hostname_of_Management_Server
[Alert]
hostname_of_Management_Server
6. Run tcpdumps on the Security Gateway, listening for port 257 on the interface facing the Management Server, to
see if it is attempting to send logs. To check this, run the following command:
tcpdump -i eth-facing-MS port 257 (use the Ctrl+C to break out of the dump)
You should see traffic leaving the Security Gateway and heading to the IP address of the Management Server.
Welcome MTN Security Team | Logout
Support Center > Search Results > SecureKnowledge Details
Expert Access

Live Chat
Start Chat Now
Service Requests
Create Service Request
My Service Requests
Contact Us

STAY UP TO DATE
Get weekly email notifications
on support related updates.

SUGGESTED
SOLUTIONS
People that viewed this solution
also viewed:
1. SSL Network Extender -
Java Availability
2. Performance analysis for
Security Gateway NGX R65 /
R7x
3. Removing old Check Point
packages and files after an
upgrade on Security
Gateway /...

Search
1/22/2014 Troubleshooting Check Point logging issues when Management Server is not receiving logs from Security Gateway
https://supportcenter.checkpoint.com/supportcenter/portal?eventSubmit_doGoviewsolutiondetails=&solutionid=sk40090 2/2
You should also see traffic coming back from the Management Server.
7. The log file may have gotten corrupted. Run a log switch on the Management Server and reboot the Management
Server to create a new log file. If log switch does not work, move all contents of the log directory (do not move the
directory itself) to a temp folder outside of the log directory. Reboot and see if the logs start again.
8. Delete the $FWDIR/log files and $FWDIR/state directory files on the Security Gateway; reboot the Security Gateway.
Reboot and see if the logs start again.
9. Look to see if there is a listening port for logging. Run the following command on the Management Server and the
Security Gateway:
netstat -na
You should see the *.257 LISTEN for logging connections. You should also see the IP address of the Management
Server :257 associated with the IP address of each Security Gateway, and showing an ESTABLISHED connection.
10. Check the log settings for the Security Gateway object and make sure the 'Log Server' is set to the Management
Server that should be receiving the logs. This is usually done by default, but may have been changed by a user.
If after going through these steps you are still experiencing logging issues, please contact Check Point Support for
further troubleshooting.
This solution has been verified for the specific scenario, described by the combination of Product, Version and Symptoms. It
may not work in other scenarios.
Give us Feedback
Rate this document
[1=Worst,5=Best]
Characters left: 2000
Submit
2014 Check Point Software Technologies Ltd. All rights reserved.
Check Point Software Technologies, Inc. is a wholly owned
subsidiary of Check Point Software Technologies Ltd.
Additional comments...(Max 2000 characters allowed)