If you have installed a checkpoint management server on a windows platform, you may notice that after adding the relevant gateways and creating access rules you are not seeing any logs in SmartView tracker from any of the gateways and only the management server traffic is visible.

I came across this issue in a lab environment while testing for a migration of R77.30 to R80.30 . I had to rebuild an environment on windows to replicate the process. Although R77.30 will become EoL by Sep 2019 some people may still be using this somewhere and may experience this issue, therefore I have decided to write out a step by step process on how to troubleshoot this below.

The issue experienced as described can be due to logging not being setup correctly or connection issues between the management server and the gateways.

To be able to troubleshoot this, first we will need to verify logging is setup correctly.

Step 1: On the Smart Dashboard, select the gateway/cluster object and click “Edit” from the properties window select “Logs” and ensure “Send gateway logs and alerts to server (SERVERNAME)” is selected. Click “OK”

Step 2: Right click the Management Server object and click “edit” from the “General Properties” window under “Management” ensure “Logging & Status” blade is selected.

Select “Logs” from the left hand side and ensure the gateway/cluster is configured to send logs and alerts. SmartLog does not have to be enabled – however if you would like to use SmartLog you can tick this box. Click “OK”

Step 3: Lastly ensure your access rules are selected to “Log” under “Track”

Step 4: Click save and install the policy

Lets now look at the connection between the gateway/cluster and the management server. The connection used for logging uses TCP 257, the gateway initiates the connection using a random source port and the management server listens on that specific port. Using netstat we can verify if the management server is listening on TCP 257, then using “Paping” we can do a port test to see if we can connect on TCP port 257 to the Management Server.

Step 5: From the management server, launch CMD and issue the following command:

Netstat –np TCP | find 257”

From the output below we cannot see anything being returned, this indicates that a TCP session has not been initiated therefore the port is most likely not listening yet

Step 6: Using “Paping” from the local machine let’s see if we can connect to TCP 257 to the management server itself.

Paping.exe 192.168.1.101 –p 257 –c 4

The connection has been successful locally, lets now have a look to see if the TCP port 257 is listening.

Netstat –np TCP | find 257”

This time netst is showing a TCP connection was initiated therefore the port is now in a listening state.

Step 7: Using “Paping” from another windows machine let’s see if we can connect to TCP 257 to the management server.

Paping.exe 192.168.1.101 –p 257 –c 4

We can see from the output below that the connection is failing, this indicates that something is blocking our port test, , this is highly likely the windows firewall.

On the management server lets create a rule on the windows firewall to allow TCP 257 inbound.

Step 8: Launch “Windows firewall with Advanced Security” Select “Inbound Rules” and hit “New Rule”

Select “Port” and hit “Next”

Select “TCP” and “Specific local ports” enter “257” as the port number and click “Next”

Select “Allow the connection” and click “Next”

Select the preferred network locations to apply to – in this case I am happy to apply to all

Give the rule a meaningful name and click “Finish”

The rule should now be visible with a green tick to identify it is enabled.

Step 9: Lets now repeat the Paping test from the separate windows machine

Paping.exe 192.168.1.101 –p 257 –c 4

As we can see the port test is now successful which now indicates the gateways should be able to connect on this port to the management server.

If we issue a netstat command on the management server we can see if the gateway has connected.

Netstat –np TCP | find 257”

We can see that there is now a connection that has been established between the gateway and the management server. The gateway is using a random source port of 36020 and a destination port of 257.

If we now generate some traffic and refresh SmartView tracker we should see all the logs coming in from the gateway.