{"id":296,"date":"2019-08-15T00:34:00","date_gmt":"2019-08-15T00:34:00","guid":{"rendered":"https:\/\/jay-miah.co.uk\/?p=296"},"modified":"2024-11-17T15:59:52","modified_gmt":"2024-11-17T15:59:52","slug":"troubleshooting-logging-on-checkpoint-r77-30-windows-management-server","status":"publish","type":"post","link":"https:\/\/jay-miah.co.uk\/index.php\/troubleshooting-logging-on-checkpoint-r77-30-windows-management-server\/","title":{"rendered":"Troubleshoot logging on Checkpoint R77.30 Windows Mgmt Server"},"content":{"rendered":"

If you have installed a checkpoint management server on a windows platform, you may notice that after adding the relevant gateways and creating access rules you are not seeing any logs in SmartView tracker from any of the gateways and only the management server traffic is visible.<\/p>\n

I came across this issue in a lab environment while testing for a migration of R77.30 to R80.30 . I had to rebuild an environment on windows to replicate the process. Although R77.30 will become EoL by Sep 2019 some people may still be using this somewhere and may experience this issue, therefore I have decided to write out a step by step process on how to troubleshoot this below.<\/p>\n

The issue experienced as described can be due to logging not being setup correctly or connection issues between the management server and the gateways.<\/p>\n

<\/p>\n

To be able to troubleshoot this, first we will need to verify logging is setup correctly.<\/p>\n

Step 1<\/strong>: On the Smart Dashboard, select the gateway\/cluster object and click \u201cEdit\u201d from the properties window select \u201cLogs\u201d and ensure \u201cSend gateway logs and alerts to server (SERVERNAME)\u201d is selected. Click \u201cOK\u201d<\/p>\n

<\/p>\n

Step 2<\/strong>: Right click the Management Server object and click \u201cedit\u201d from the \u201cGeneral Properties\u201d window under \u201cManagement\u201d ensure \u201cLogging & Status\u201d blade is selected.<\/p>\n

<\/p>\n

Select \u201cLogs\u201d from the left hand side and ensure the gateway\/cluster is configured to send logs and alerts. SmartLog does not have to be enabled \u2013 however if you would like to use SmartLog you can tick this box. Click \u201cOK\u201d<\/p>\n

<\/p>\n

Step 3<\/strong>: Lastly ensure your access rules are selected to \u201cLog\u201d under \u201cTrack\u201d<\/p>\n

<\/p>\n

Step 4<\/strong>: Click save and install the policy<\/p>\n

<\/p>\n

Lets now look at the connection between the gateway\/cluster and the management server. The connection used for logging uses TCP 257, the gateway initiates the connection using a random source port and the management server listens on that specific port. Using netstat we can verify if the management server is listening on TCP 257, then using \u201cPaping\u201d we can do a port test to see if we can connect on TCP port 257 to the Management Server.<\/p>\n

Step 5<\/strong>: From the management server, launch CMD and issue the following command:<\/p>\n

Netstat \u2013np TCP | find 257\u201d<\/p>\n

From the output below we cannot see anything being returned, this indicates that a TCP session has not been initiated therefore the port is most likely not listening yet<\/p>\n

<\/p>\n

Step 6<\/strong>: Using \u201cPaping\u201d from the local machine let\u2019s see if we can connect to TCP 257 to the management server itself.<\/p>\n

Paping.exe 192.168.1.101 \u2013p 257 \u2013c 4<\/p>\n

<\/p>\n

The connection has been successful locally, lets now have a look to see if the TCP port 257 is listening.<\/p>\n

Netstat \u2013np TCP | find 257\u201d<\/p>\n

This time netst is showing a TCP connection was initiated therefore the port is now in a listening state.<\/p>\n

<\/p>\n

Step 7<\/strong>: Using \u201cPaping\u201d from another windows machine let\u2019s see if we can connect to TCP 257 to the management server.<\/p>\n

Paping.exe 192.168.1.101 \u2013p 257 \u2013c 4<\/p>\n

<\/p>\n

We can see from the output below that the connection is failing, this indicates that something is blocking our port test, , this is highly likely the windows firewall.<\/p>\n

On the management server lets create a rule on the windows firewall to allow TCP 257 inbound.<\/p>\n

Step 8<\/strong>: Launch \u201cWindows firewall with Advanced Security\u201d Select \u201cInbound Rules\u201d and hit \u201cNew Rule\u201d<\/p>\n

<\/p>\n

Select \u201cPort\u201d and hit \u201cNext\u201d<\/p>\n

<\/p>\n

Select \u201cTCP\u201d and \u201cSpecific local ports\u201d enter \u201c257\u201d as the port number and click \u201cNext\u201d<\/p>\n

<\/p>\n

Select \u201cAllow the connection\u201d and click \u201cNext\u201d<\/p>\n

<\/p>\n

Select the preferred network locations to apply to \u2013 in this case I am happy to apply to all<\/p>\n

<\/p>\n

Give the rule a meaningful name and click \u201cFinish\u201d<\/p>\n

<\/p>\n

The rule should now be visible with a green tick to identify it is enabled.<\/p>\n

<\/p>\n

Step 9<\/strong>: Lets now repeat the Paping test from the separate windows machine<\/p>\n

Paping.exe 192.168.1.101 \u2013p 257 \u2013c 4<\/p>\n

<\/p>\n

As we can see the port test is now successful which now indicates the gateways should be able to connect on this port to the management server.<\/p>\n

If we issue a netstat command on the management server we can see if the gateway has connected.<\/p>\n

Netstat \u2013np TCP | find 257\u201d<\/p>\n

<\/p>\n

We can see that there is now a connection that has been established between the gateway and the management server. The gateway is using a random source port of 36020 and a destination port of 257.<\/p>\n

If we now generate some traffic and refresh SmartView tracker we should see all the logs coming in from the gateway.<\/p>\n

<\/p>\n","protected":false},"excerpt":{"rendered":"

If you have installed a checkpoint management server on a windows platform, you may notice that after adding the relevant gateways and creating access rules<\/p>\n","protected":false},"author":1,"featured_media":328,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[11,6],"tags":[39,40,41,42,43,44],"class_list":["post-296","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-checkpoint-firewall","category-security","tag-checkpoint","tag-fw-log","tag-logging","tag-management-server","tag-smartview-tracker","tag-traffic"],"_links":{"self":[{"href":"https:\/\/jay-miah.co.uk\/index.php\/wp-json\/wp\/v2\/posts\/296","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/jay-miah.co.uk\/index.php\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/jay-miah.co.uk\/index.php\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/jay-miah.co.uk\/index.php\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/jay-miah.co.uk\/index.php\/wp-json\/wp\/v2\/comments?post=296"}],"version-history":[{"count":5,"href":"https:\/\/jay-miah.co.uk\/index.php\/wp-json\/wp\/v2\/posts\/296\/revisions"}],"predecessor-version":[{"id":462,"href":"https:\/\/jay-miah.co.uk\/index.php\/wp-json\/wp\/v2\/posts\/296\/revisions\/462"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/jay-miah.co.uk\/index.php\/wp-json\/wp\/v2\/media\/328"}],"wp:attachment":[{"href":"https:\/\/jay-miah.co.uk\/index.php\/wp-json\/wp\/v2\/media?parent=296"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/jay-miah.co.uk\/index.php\/wp-json\/wp\/v2\/categories?post=296"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/jay-miah.co.uk\/index.php\/wp-json\/wp\/v2\/tags?post=296"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}