Support Center > Search Results > SecureKnowledge Details
R77.10 Log Server stops forwarding logs to LEA clients: SmartEvent, SmartReporter, OPSEC clients
Symptoms
  • R77.10 Log Server stops forwarding logs to LEA clients:

    • New events are not coming to SmartEvent.
    • Logs are not processed by SmartReporter consolidation session.
    • Logs are not forwarded to 3rd-party OPSEC clients.
  • Other versions are not affected.

Cause

When switching the active log to new one (log switch), R77.10 Log Server does not notify the LEA client about the new log file.

Issue occurs on R77.10 Log Servers in the following environments:

  • Multi-Domain Security Management Server.
  • Smart-1 5 appliance.
  • Log Servers with deactivated 'Spawn_LEA' attribute (see sk91343).

Solution

This problem was fixed. The fix is included in:

Check Point recommends to always upgrade to the most recent version (upgrade Security Gateway / upgrade VSX / upgrade Security Management Server / upgrade Multi-Domain Security Management Server).

 

For lower versions, Check Point can supply a Hotfix. Contact Check Point Support to get a Hotfix for this issue.
A Support Engineer will make sure the Hotfix is compatible with your environment before providing the Hotfix.
For faster resolution and verification, please collect CPinfo files from the Security Management Server and Security Gateways involved in the case.

 

Background:

Hotfix has to be installed on R77.10 Multi-Domain Security Management Server / Log Server machine.

Clarification:

  • Log Server can be a separate machine (in such case, install the hotfix only on Log Server)
  • Security Management Server may act a Log Server for Security Gateways

Note: In Management HA environment, this procedure must be performed on both Management Servers.

 

Procedure:

  • Show / Hide instructions for R77.10 Multi-Domain Security Management Server on Gaia / SecurePlatform / Linux OS

    1. Download the hotfix package for Multi-Domain Security Management Server from here (Check_Point_Hotfix_R77.10_sk98588.tgz).

    2. Copy the hotfix package to the Multi-Domain Security Management Server (into some directory, e.g., /some_path_to_fix/).

    3. Unpack the hotfix package:
      [Expert@HostName]# cd /some_path_to_fix/
      [Expert@HostName]# tar zxvf Check_Point_Hotfix_R77.10_sk98588.tgz
    4. Switch to the context of MDS:
      [Expert@HostName]# mdsenv
      
    5. Install the hotfix:
      [Expert@HostName]# ./fw1_wrapper_HOTFIX_R77_10_HF_LOGSERVER_LEA_117_990117001_1
      Note: The script will stop all of Check Point services (mdsstop) - read the output on the screen.

    6. Reboot the Multi-Domain Security Management Server.


  • Show / Hide instructions for R77.10 Log Server on Gaia / SecurePlatform / Linux OS

    1. Download the hotfix package for Log Server from here (Check_Point_Hotfix_R77.10_sk98588.tgz).

    2. Copy the hotfix package to the Log Server (into some directory, e.g., /some_path_to_fix/).

    3. Unpack the hotfix package:
      [Expert@HostName]# cd /some_path_to_fix/
      [Expert@HostName]# tar zxvf Check_Point_Hotfix_R77.10_sk98588.tgz
    4. Install the hotfix:
      [Expert@HostName]# ./fw1_wrapper_HOTFIX_R77_10_HF_LOGSERVER_LEA_117_990117001_1
      Note: The script will stop all of Check Point services (cpstop) - read the output on the screen.

    5. Reboot the Log Server.


  • Show / Hide instructions for R77.10 Log Server on Windows OS

    1. Download the hotfix package for Log Server from here (Check_Point_Hotfix_R77.10_sk98588.exe).

    2. Copy the hotfix package to the Log Server (into some directory).

    3. Install the hotfix:

      Right-click on the Check_Point_Hotfix_R77.10_sk98588.exe file - click on 'Run as administrator'.

      Note: The script will stop all of Check Point services (cpstop) - read the output on the screen.

    4. Reboot the Log Server.

 

Applies To:
  • 01361419 , 01363419 , 01363421 , 01368780 , 01370804 , 01395373 , 01447069 , 01449264 , 01453125

Give us Feedback
Please rate this document
[1=Worst,5=Best]
Comment