Check Point Logging Troubleshooting Guide
Below are some basic guidelines for troubleshooting Check Point Logging issues.
Please note : This guide does not cover issues with any OPSEC LEA based issues.
Please note : The FWD (Firewall Daemon) is responsible for sending and receiving the Check Point Logs on port tcp/257.
logs being sent to the manager ?
Ok, so first of all are the logs being sent to the Smart Centre Manager or the necessary Log Manager ? We can check this by confirming whether the gateway is sending the log packets via the FW Log port tcp/257 upon the gateway and the manager. To do this use either or both of the following commands,
- netstat -an | grep 257 - This will show the state of the TCP sockets.
- tcpdump -ni [interface name] port 257 - This will show a packet capture of the FW Log packets on the subsequent interface.
If the gateway is not sending the logs then this can be down to one of the following issues,
- SIC is not established.
- The Logging configuration for the Gateway is not configured correctly.
- The SmartCentre/Log Manager is not listening on port tcp/257.
- There is an issue with FWD on the gateway. In some instances you may need to restart FWD via a cpstart. Though the root cause could be down to a number of factors.
The SmartCentre / Log Manager is not receiving the logs
If the gateway is sending the logs but the SmartCentre / Log Manager is not receiving them then either a device between the 2 nodes is blocking the packets or there is a routing issue.
Why are the logs not being displayed within SmartView tracker ?
Ok so the manager is receiving the logs but you may still not see them within the SmartView tracker this will be down to either the FWD (Firewall Daemon) or the log files being corrupted.
Log Files Corrupted
If the log files are corrupted you should expect to see no logs within the SmartView Tracker. If this is the case you will need to action the following steps :
- Close the Log Viewer/SmartView Tracker and Policy Editor/SmartDashboard.
- Execute the fwstop or cpstop command (depending on the version) from the command line.
- Remove all files starting with fw.log and fw.logptr from the $FWDIR\log directory.
- Execute the fwstart or cpstart (depending on the version) command.
Full details can be found at Check Points KB within Solution ID sk6432.
Only some of the logs are not being displayed
If only some of the logs are not being displayed then this could point to an issue with the trust between the manager and the gateway.
To confirm the issue you will need to debug FWD using the following steps.
root@cp-mgnt# fw debug fwd on TDERROR_ALL_ALL=5
root@cp-mgnt# tail -f $FWDIR/log/fwd.elg
root@cp-mgnt# tail -f $FWDIR/log/fwd.elg | grep -i "Certificate is revoked"
root@cp-mgnt# fw debug fwd off
Within these steps we first enable the debug. Then we run a live tail on the log file. And then we run a grep on the live tail for a specific error. The live tail allows us to view the end of the log file in real time. We finally turn off the debug.
Below shows an example of an error with the SIC trust between the Gateway and Manager obtained from the $FWDIR/log/fwd.elg,
[FWD 2177 1]@cp-mgnt[22 Jan 14:47:32] fwCert_ValCerts: Certificate is revoked. CN=cp-fw1,O=cp-mgnt..bizt7z
[FWD 2177 1]@cp-mgnt[22 Jan 14:47:41] fwCert_ValCerts: Certificate is revoked. CN=cp-fw2,O=cp-mgnt..bizt7z
In this instance resetting SIC would resolve this issue.