[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

[FW1] Solution: OPSEC LEA problems

To: fw-1-mailinglist@lists.us.checkpoint.com
Subject: [FW1] Solution: OPSEC LEA problems
From: Leonardo Bentes <leo@pangeia.com.br>
Date: Thu, 1 Apr 1999 16:55:30 -0300 (EST)


Hello,

On Mar 24, I posted to this list the following message:

============ Begin ==========
Hello all,

We are evaluating Webtrends for Firewalls and VPNs as a log
reporting tool. This is configured to use Checkpoint's OPSEC LEA interface
in order to get the log records from our HP-UX 10.20 Firewall-1 SP8 box.
Everytime we need restart the lea connection between NT (with Webtrends)
and Firewall-1 (due a NT crash, for instance) we see the following
messages at HP-UX console:

fwd: lea_get_filename: There is no logfile related to the fileid 6
fwd: lea_server_demultiplex_datagram: could not receive the requested 
logfile
fwd: lea_get_filename: There is no logfile related to the fileid 8
fwd: lea_server_demultiplex_datagram: could not receive the requested
logfile

The "fileid number" changes sometimes and the only way to restart this log
import process is deleting all imported logs on NT side. Altough the
Webtrend's support is really good, we are sttil having problems.

Actually, we are thinking that this is a Firewall-1 related problem, since
we realizrd that a Secureview copy, previouslly evaluated, generated the
same kind of error.

Does anyone has any hint about this issue?

Thanks in advance,

Leonardo Bentes
========== End ==========

Today, I finally fix this problem and would like share it.

I did some traffic analyzes (tcpdump), read LEA documentantion from OPSEC
SDK, and guess what the WebTrends could be doing (strings 
WTLeaService.exe). Everything points to a problem at FW-1 side, probally
with the file $FWDIR/log/fw.logtrack. 

Since the Firewall-1 Architecture And Administration User Guide has no
reference to this file, I searched (again ;-)) the excellent Phoneboy's
FAQ and realized that is possible remove fw.logtrack without side effects.

So, I stopped the WebTrends LEA client, and execute the following commands
at firewall-1 box:

# fw kill fwd 
# /bin/rm $FWDIR/log/fw.logtrack 
# fwd

When I restarted the LEA client, everything works fine.

Regards,

Leonardo Bentes






================================================================================
     To unsubscribe from this mailing list, please see the instructions at
               http://www.checkpoint.com/services/mailing.html
================================================================================

Prev by Date: Re: [FW1] Date: Thu, 1 Apr 1999 09:48:28 -0500
Next by Date: [FW1] DNS - classless delegation
Prev by thread: [FW1] mail size with smtp security
Next by thread: [FW1] DNS - classless delegation
Index(es):
- Date
- Thread