Before you can check for usage, please make sure OPSEC has been established first.
You will need to put your Data Collector into TRACE and then tail the Data Collector log while grepping for the Check Point gateways IP. This will confirm whether or not FireMon is receiving any messages from that gateway.
- To do this, navigate to the Server Control Panel (https://servernameorIP:55555) and sign in with your CLI credentials.
- Once logged in, navigate to SecMgr > DC and then toggle the slider to the on position and change the drop down to TRACE.
- In the bottom left corner, click Stage Changes followed by Apply Configuration. Once this goes through, your DC will be in TRACE.
- Next, SSH into the FireMon server and run the following command:
fmos logview /var/log/firemon/dc/DataCollector.log -Tf | grep -i "IPofgateway"
It may take a few seconds for anything to start coming in, you should either see messages or you will see nothing. If you do not see anything come in after waiting for several moments, then you are not receiving LEA messages and cannot track usage. If you see messages coming in that contain ***CONFIDENTIAL*** then we need to double-check your OPSEC permissions.
If you see messages coming in that contain "orig" as well as "src" and "dest", then the issue may be getting your firewalls tied to the correct logserver in FireMon.
Please remember to set your data collector back to INFO mode after running this test in the server control panel. You will not want to leave it in trace.
In the event the CP firewall is logging usage to the wrong logserver,
You would have to put the device settings via the API call:
PUT /domain/{domainId}/device/{id}
— It's located just under the "GET" device by ID
You would replace the LogServerDeviceID from:
"logServerDeviceId": "502",
as currently defined to logServerDeviceID: ---- which ever one that CP FW is logging too.
Once that LogServer Device ID setting is updated you can "PUT"
{push}
The device settings back up to the DB, and then perform a fake install and issue should be resolved for that FW.
This would be a manual process for each R80 Firewall One by One, until the updated Device Pack in Device-3386 is available, that we are hoping to have available within the next few/couple days.
Comments
0 comments
Article is closed for comments.