The logging filled the disk of the managment node. This cause the firewall nodes to start logging locally. After deleting some old logs, restarting the managment node logging is still being done locally at the firewall nodes. I have already done a fw fetchlogs on all firewall nodes to get the local log entries.
How can I tell the firewall nodes that they should once again connect to the managment node?
My syslog_servers show doesn't show any syslog servers. But the documentation mentions that this is for additional logging and not for logging between firewall nodes and the managment node.
I am certain that the Check Point knowledgebase has this answer, although for the life of me I can't remember what to do. Two general things to try:
Push policy to the firewall
cpstop ; cpstart
on the firewallReboot the firewall (Windows and Check Point FW-1, both love the reboots)
.
Plain R70? We had an issue where the Management station wasn't getting incoming logs after a reboot.. Check Point support said it was a known issue with R70. (Sorry, I can't find an SK number for you). Updating to R70.30 on the management station fixed the problem.
You could give a try to
fw logswitch
on the firewall itself.If it does not help, then a reboot might be needed, as previously suggested.