Check Point Security Gateway stores fw.log locally

I came across an issue where the Check Point Security Gateway consistently stored the firewall logs locally as well as forwarding them to the Security Management server.
As a result the /var/log partition reached 100%.

Thinking this was the result of the Security Gateway having lost connection with the SM at some point (which makes it stores the log files locally) I tried approaching the issue by

  • installing a policy
  • Running the command cpstart
  • Check connection with SM

I could also see the logs in SmartView Tracker and also confirm the SG had established a connection with the SM (Port TCP/257 is used for log transfer)

[Expert@chkp-sg1]# netstat -an | grep 257

tcp 0 0 127.0.0.1:58043 127.0.0.1:257 ESTABLISHED
tcp 0 0 10.20.30.1:39742 10.10.33.9:257 ESTABLISHED


After a bit of digging I found this box ticked off which explained it all.
Chkp - save logs locally

The Security Gateway was in fact, incorrectly, configured to store the logs locally.

HTH
Gos

Download as PDF
5.00 avg. rating (99% score) - 1 vote

Author: Gos

Have been working in the IT business since 2003 and have had network and security as field of focus since 2008.

Leave a Reply

Your email address will not be published. Required fields are marked *