We had two addresses defined for logging and one of these was unavailable to
the enforcement modules. The netstat on the firewall concerned showed a
SYN_SENT TCP connection state to the unavailable server on service port 257. It
kept trying to connect. It also had an active ESTABLISHED with the other log
server and therefore should not have logged locally (according to authoritative
advice).
Last night I modified the CheckPoint firewall objects to point at just one log
server. After the policy compiled and pushed, fw logswitch was executed to
zero the fw.log file (it actually creates an empty log file of 8348 bytes). The
file has not yet increased in size, so it appears that the local logging issue
has been removed. I am still monitoring to see if the problem comes back or
not...
Regards,
Rob
-----Original Message-----
From: Mailing list for discussion of Firewall-1
[mailto:FW-1-MAILINGLIST AT AMADEUS.US.CHECKPOINT DOT COM]On Behalf Of Zeltser,
Roman
Sent: 23 August 2004 15:01
To: FW-1-MAILINGLIST AT AMADEUS.US.CHECKPOINT DOT COM
Subject: Re: [FW-1] **odd logging issues on IPSO FW-1 NGAI**
We are having the logging problem issue with NG-AI hf5.5 for about 2 months
that has not been resolved, yet. Even though we have found the problem with
DNS resolution between the firewall and the management server and fixed it,
the problem still exists. The Check Point's developer is working on this
issue. If you have the CP support, I'd suggest to open the ticket.
Best regards,
Roman M. Zeltser,
@National Computer Center
DNE, RSIS
Information Security Index
<http://www.rtek2000.com/Tech/InternetSecureLinks.html>
*** Securing your retirement money from hackers.***
-----Original Message-----
From: Mailing list for discussion of Firewall-1
[mailto:FW-1-MAILINGLIST AT AMADEUS.US.CHECKPOINT DOT COM] On Behalf Of
Lockwood,
Robert (R.)
Sent: Monday, August 23, 2004 6:19 AM
To: FW-1-MAILINGLIST AT AMADEUS.US.CHECKPOINT DOT COM
Subject: [FW-1] **odd logging issues on IPSO FW-1 NGAI**
Hi Group.
Has anyone ever encountered problems with Nokia IPSO/FW-1 NGAI, where the
CheckPoint logs store both locally (on the enforcement modules) and on a
remote FW-1 logging server?
We are seeing the local $FWDIR/log/fw.log growing rapidly and impacting on
the Nokia system performance (direct or indirect impact?). The settings in
the SmartDash GUI are configured for remote logging only and the observed
behaviour is not desired.
The firewall is reasonably loaded during peak business hours, but has
reasonable memory and CPU speed. I suspect that the logging issue is
impacting on the system.
I do not want to reduce the logging for security and diagnostic reasons, so
really need to understand why the local logging is occurring.
It has been suggested that the system may be maxing out and that a larger
unit may need to be deployed, but I want to remove this log issue to start
with.
- The bandwidth to the logging server is believed not to be an issue - the
log data traverses an out-of-band network that isn't busy.
- The log server has adequate storage and is on a powerful Unix system.
- A "netstat -an | grep 257" shows an ESTABLISHED tcp connection open to
the log server.
- The log server is receiving and recording log data successfully.
- The logging buffers on the Nokia are set to the standard size (the system
has not been modzapped) - I am not sure whether they are reaching their
bounds or not.
Thanks for you help!
Regards,
Rob
Robert Lockwood, CISSP.
=================================================
To set vacation, Out-Of-Office, or away messages,
send an email to LISTSERV AT amadeus.us.checkpoint DOT com
in the BODY of the email add:
set fw-1-mailinglist nomail
=================================================
To unsubscribe from this mailing list,
please see the instructions at
http://www.checkpoint.com/services/mailing.html
=================================================
If you have any questions on how to change your
subscription options, email
fw-1-owner AT ts.checkpoint DOT com
=================================================
=================================================
To set vacation, Out-Of-Office, or away messages,
send an email to LISTSERV AT amadeus.us.checkpoint DOT com
in the BODY of the email add:
set fw-1-mailinglist nomail
=================================================
To unsubscribe from this mailing list,
please see the instructions at
http://www.checkpoint.com/services/mailing.html
=================================================
If you have any questions on how to change your
subscription options, email
fw-1-owner AT ts.checkpoint DOT com
=================================================
=================================================
To set vacation, Out-Of-Office, or away messages,
send an email to LISTSERV AT amadeus.us.checkpoint DOT com
in the BODY of the email add:
set fw-1-mailinglist nomail
=================================================
To unsubscribe from this mailing list,
please see the instructions at
http://www.checkpoint.com/services/mailing.html
=================================================
If you have any questions on how to change your
subscription options, email
fw-1-owner AT ts.checkpoint DOT com
=================================================
|
