Chekpoint firewall logs delay
we are using RSA enVision 4.0 ver. we found there is logs delay ( approx 4 hours)from checkpoint firewall to envision. please help us to resolve this issue and to get real time logs.
we have integrated checkpoint firewall through LEA client.
please find the below configuration given under device services:
Normal delay: 600 seconds
Timeout delay: 3600 seconds
Max polling timeout: 120 seconds
Max polling count: 100000 events
Collector threads: 8 threads
Shutdown grace period: 10 seconds
When you say "delayed", what do you mean?
Is the LEA connection dead during those 4 hours and no events are received? Is the event data coming in steadily but the times are off?
If your issue is closer to the 1st scenario, we are having a related issue (currently under investigation with RSA support and dev teams). Here are a couple of things to check:
1. Are you seeing your LEA client connection stop the data pull completely?
2. Does the event pull resume on its own or does the LEA Client service require manual restart?
Recommend you run tcpdump -v on your LEA server and monitor the connection between it and the LC.
There are advanced settings under the LEA client config in enVision GUI where you can force LEA client to restart the service if no data is seen over 5 minutes (min setting, others are avaialble).
IF you are getting data but the times are off, check whether you're using the enVision timestamp under Device Config or the actual event timestamp. Check your timezones, obviously, or normalize everything to UTC/GMT.
This is for sure license problem. You are over licensed limit (actually over 70% of your max EPS). EnVision reserves always 60% of available EPS for syslog. Therefor maksimum performance you can gain on LEA, Windows, File, ODBC is 70%, and when you reach it, envision limits your data stream for LEA and therefore there is such "delay"!
Had the same problem.. it was license limit.
Try lsdata -ss to see if you have overruns or discarded messages.
While we're on the checkpoint topic..
Does anyone else have HUGE Lea Client logs? We have bigger lea client logs than IPDB compressed data for checkpoint for the same time.
These files are in the logs directory.