I came across an issue where the Check Point Security Gateway consistently stored the firewall logs locally as well as forwarding them to the Security Management server.
As a result the /var/log partition reached 100%.
Thinking this was the result of the Security Gateway having lost connection with the SM at some point (which makes it stores the log files locally) I tried approaching the issue by
- installing a policy
- Running the command cpstart
- Check connection with SM
I could also see the logs in SmartView Tracker and also confirm the SG had established a connection with the SM (Port TCP/257 is used for log transfer)
[Expert@chkp-sg1]# netstat -an | grep 257
…
tcp 0 0 127.0.0.1:58043 127.0.0.1:257 ESTABLISHED
tcp 0 0 10.20.30.1:39742 10.10.33.9:257 ESTABLISHED
After a bit of digging I found this box ticked off which explained it all.
The Security Gateway was in fact, incorrectly, configured to store the logs locally.
HTH
Gos