Doug,
There may be multiple issues going on here, so we'll need to address one at
a time.
- System time. Verify that the underlying OS's system time/date is
identical on all three devices - both cluster nodes and the Mgt Server
(assuming of course they are all located in the same time zone, else
calculate based on UTC). If you have not already configured it, NTP is
highly recommended in a cluster and especially if you are using any of the
VPN capabilities. The timestamp of a log entry is recorded by the firewall
module during the inspection process. So, funky log record time equals
funky system time on the firewall module.
- Local logging. Why do CP firewalls log locally? Unless you configure
them as such, the main reason is that the SIC channel has been broken
between the firewall module and its Mgt Server (SmartCenter Server). There
are other weird anomolies that can cause this, but the main one is
definitely the SIC channel. What does the path look like between your
cluster nodes and the Mgt Server? Are they on the same subnet or is the
connectivity fairly complex (such a WAN link that frequently flaps)?
-Chris
From: "Doug Fox" <dfox168@hotmail.com>
To: <firewalls@securityfocus.com>
Subject: A Check Point NG Cluster Logging Time Off Question
Date: Wed, 14 Dec 2005 14:02:02 -0500
We have a cluster of two NG firewalls. The logging on member-1 is off by a
couple of hours and The firewall logs locally. The member-2 is working
beautifully.
When I perform a cprestart member-1, it would log to the SmartCenter
(management server) normally but then slowly the logs fall behind in time
until it is a couple of hours behind again.
I had checked Check Point knowlegeBase and had verified the day light saving
time settings on the member-firewalls and the SmartCenter. I have also
checked log servers used.
I'm seeking advise wherelse should I look for to trouble shoot this
incident. Your assistance is much appreciated.
Doug
