Firewall 12.7.2 no logs visible in FSM
Hi,
T20 12.7.2
Had a fully managed T20 device running 12.7.2 today where it would not show any logging in FSM from any WSM management client, but everything else worked. Also live logs from the Cloud interfaces worked.
Rebooting the device the not help.
What helped was to change the webserver certificate to a custom, save the config and now FSM shows logs. Changed it back to default settings and still working.
Don´t know why the web certificate caused this issue.
/Robert
0        
            Sign In to comment.                        
                                            
Comments
Hi,
I have a similar problem:
M500 12.7.2 - newly re-installed to factory defaults and then started to build new config including adding a third party certificate (wildcard).
Yesterday it worked fine for a while but now this morning no logs shows.
Now I removed the third party cert for "Proxy" as I dont use it and use it for Webserver only. Lest see how it goes.
Now I removed (in setup/logging) "send log mess. to fb internal storage" (added it yesterday for test) and connected to fw from another mgmt station (FSM) and logs showed up!
And it seems to be working from my normal workstation as well, at lest for now.. lets see how it goes.
https://watchguard.force.com/customers/wgknowledgebase?type=Known Issues&SFDCID=kA16S000000SNhXSAW&lang=en_US
Ah thanks! I will try that.
/Martin
@kimmo.pohjoisaho
Thank you
thank you
I am unable to find this certificate in my listings.
Did you select "Trusted CA for Proxy Certificates" and then click on the Status column heading to sort by status name?
You should see any Expired entries.
I saw & deleted the problem cert, along with all Expired ones.
I did mine in Firebox System Manager -> View -> Certificates
Same problem. Right after installing 12.7.2 and rebooting M270, I am seeing an empty log in FSM.
I deleted this cert:
c=ES, st=Barcelona, l=Barcelona (see current address at https://www.anf.es/address/), o=ANF Autoridad de Certificación, ou=ANF Clase 1 CA,cn=ANF Server CA.
It is still showing nothing. Am I supposed to delete all Expired (7 expired Trusted CA for Proxies) certs to see the logs?
(additional)
Never mind. I just notice this at the bottom of the article:
After you delete the certificate, Traffic Monitor behavior does not return to normal immediately. Wait until the cache logs are purged or reboot the Firebox.
I don't understand why traffic log shows nothing if we don't delete expired cert. Does anyone know why?
When you open up Traffic Monitor, it pulls the existing log records from the firewall log cache area.
If the logs pulled include an Expired Cert log record for the problem cert, then Traffic Monitor screen will be blank because of the bug.
So, for this case, you need to wait for the firewall log cache area to no longer have one of these Expired Cert log records, and clear the Traffic Monitor log display or end & restart Traffic Monitor to start displaying log records again.
So it's a bug in version 12.7.2. There are 7 other expired certificates that I did not delete. Why do they not cause a blank traffic monitor? Why is that one particular expired cert causing it but not the rest of them?
As stated in the Known Issue, the problem cert contains a non-ASCII character in the subject name.
Got it. Thanks.