Tek-Tips is the largest IT community on the Internet today!

Members share and learn making Tek-Tips Forums the best source of peer-reviewed technical information on the Internet!

Register Log in
  • Congratulations derfloh on being selected by the Tek-Tips community for having the most helpful posts in the forums last week. Way to Go!

question about forwarding log files to smartcenter server

Status
Not open for further replies.
wirelesspeap

wirelesspeap

Technical User
Joined
Oct 6, 2004
Messages
128
Location
US
All,

I have the following scenario:

1) The Enforcement Module is an Nokia IP440,
2) The Management Server is a Secureplatform running a Pentium 4 with 1GB of RAM with a 200GB Disk space (overkill I know). This machine stores the firewall policy and log,
3) I also have additional machine (Pentium 4 with 1GB of RAM and 200GB of disk space) functions as a log server.

In the policy, I enable "forward log files to the SmartCenter Sever" and "perform a logswitch before log forwarding". I also specified that the "log forwarding schedule" is to be done at midnight. The policy is then pushed to the Enforcement Module.

Let say that the enforcement loses connectivities to both the management server and the log server for 4 hours. During that time, the log will be written "locally" on the Enforcement Module. When connectivities have been re-established between the Enforcement Module and the smartcenter and log server, does it mean that the logs that are stored on the enforcement module during those 4 hours will be forwarded to smartcenter and log server?
How does checkpoint "merge" those logs into the current log file? How does the process work? Does it mean I have a "hole" in the log file for those 4 hours?

I have been looking cp documentation but didn't find any on this topics.

Thanks.
 
Sort by date Sort by votes
Hi,

Problem: In some cases where connectivity is temporarily lost between the SmartCenter Server and the Security Gateway, the Security Gateway begins logging locally. This can be caused by network or Internet lag, or latency. It is also possible SIC is lost between the SmartCenter Server and the Security Gateway.

Solution: While on the SmartCenter Server, issue the following commands:

1. To see a list of the logs on the Security Gateway in question:
fw lslogs firewall_name

NOTE:
If the log you want is currently active on the Security Gateway, run "fw logswitch" first.

2. To fetch the log, run:
fw fetchlogs -f log_name firewall_name

The log is placed in the $FWDIR/log directory on the SmartCenter Server, and is viewable with SmartView Tracker.


My undertanding is it has to be captured in the above manner manully. I am unaware of the enforcement module doing this automatically. But I could be wrong. I check several sources of information including SecureKnowledge and I also am unable to find any rock hard answers apart from the above.
 
Upvote 0 Downvote
Hi,

In some cases where connectivity is temporarily lost between the SmartCenter Server and the Security Gateway, the Security Gateway begins logging locally. This can be caused by network or Internet lag, or latency. It is also possible SIC is lost between the SmartCenter Server and the Security Gateway.

Solution: While on the SmartCenter Server, issue the following commands:

1. To see a list of the logs on the Security Gateway in question:
fw lslogs firewall_name

NOTE:
If the log you want is currently active on the Security Gateway, run "fw logswitch" first.

2. To fetch the log, run:
fw fetchlogs -f log_name firewall_name

The log is placed in the $FWDIR/log directory on the SmartCenter Server, and is viewable with SmartView Tracker.

To the best of my current understanding, the log files are not automatically synchronised to the SMARTCenter/SYSLOG Server.


 
Upvote 0 Downvote
Chris,
If you setup the enforcement point to forward log, it will do it automatically. The process can be automated. However, that is not the question I asked.

What I am looking for the the log that was written "locally" on the Enforcement Module will be able to "merge" back to the log on the management server so that I don't have a "hole" in the log during the 4 hours where the Enforcement Module can NOT communicate with the SmartCenter Server.

I was told by a Checkpoint SE that it can be done but I am sure he is just a Sale Engineer so he probably doesn't know what I talking about.

 
Upvote 0 Downvote
Hi,

Sorry my bad. I see what you mean. I have spent alot of time researching this for my own knowledge, I can't find the answer. This is the frustrating thing about CP, lack of information and even with partner access to their website, it is still lacking. I hope you find an answer.
 
Upvote 0 Downvote
Status
Not open for further replies.

Similar threads

XLNTech1
  • Locked
  • Question Question
iptables port forwarding
Replies
0
Views
859
XLNTech1
XLNTech1
Sameer258
  • Locked
  • Question Question
Need Help to Find ip and mac address with email who one open my email
Replies
0
Views
1K
Sameer258
Sameer258
Sparrow4
  • Locked
  • Question Question
Configure Avaya IPO R11 / VM Pro + Office365 or Exchange for voicemail to email
Replies
2
Views
1K
Johnkite
Johnkite
DROFNUD
  • Locked
  • Helpful tip Helpful tip
Smartcenter Dashboard - Searching for "Any" keyword
Replies
0
Views
308
DROFNUD
DROFNUD
intel233
  • Locked
  • Question Question
Cisco ASA - VPN Question
Replies
6
Views
1K
intel233
intel233

Part and Inventory Search

Sponsor

Back
Top