YAFLST – Yet Another Firewall Logging Status Tool

So you might have not noticed but logging HA is not quite the HA you think it is. About 10-20% of our 350 firewalls fail to HA and either just stop logging or log locally until we nudge them….or maybe we screwed something up.

Anyways….So how do you know which ones are not HA?

You don’t, until now. (OKAY it is a kludge but the best I know how)

  1. 1) Do this GET LIST OF FIREWALLs.
  2. This gets you a list of gateways and cluster members. You can get rid of the ‘gateway_cluster’, usually not needed for logging.Cluster members use their physical IP and not the VIP.
  3. Import into a spreadsheet with worksheet label ‘fw’. sort and get rid of obvious junk.
  4. On log servers do a ‘netstat -an | fgrep :257’. Lists all of the firewalls logging.
  5. Import them into same spreadsheet with worksheet label ‘targets’. Sort and get rid of junk.
  6. Import this macro into your spreadsheet: MACROOK, I hacked a VB script. not pretty. You could also use some perl script at this point.
  7. Anyways the script will put in column 3 an ‘X’ which firewalls are logging.

Seems to me a $$$$$ gazillion dollar HA logging system should do HA. Probably fixed in R80.

Oh yeah, I’ve been using this in Cattools to nudge them:

cpwd_admin stop -name FWD -path “$FWDIR/bin/fw” -command “fw kill fwd”

cpwd_admin start -name FWD -path “$FWDIR/bin/fwd” -command “fwd”

Logging off

dreez

Advertisements
Post a comment or leave a trackback: Trackback URL.

Comments

  • Yoni Leitersdorf  On October 1, 2014 at 1:27 am

    Nice one. It’s quite a hack and there are other ways to achieve this (excluding using indeni, of course). To know if firewalls are logging locally look at the fw.log and if it’s growing. No need for Excel magic.

    By the way, your post shows up as being made on Oct 1st, 2014. So actually, this is from the future 🙂

  • Ed Marciniak  On October 30, 2014 at 11:46 pm

    A while back, I helped out with an issue where a bunch of firewalls weren’t forwarding their logging. Perhaps it was a different problem, but running a logfetch from the mlm seemed to “tickle” the firewalls without having to mess with processes. I also scripted walking every customer on the CLM and fetching from each fw object.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

blog.lachmann.org

Michael Endrizzi's - St. Paul MN - CheckPoint blog on topics related to Check Point products and security in general.

%d bloggers like this: