fw logswitch

Description

Switches the current active State of a Cluster Member that is fully operational: (1) In ClusterXL, this applies to the state of the Security Gateway component (2) In 3rd-party / OPSEC cluster, this applies to the state of the cluster State Synchronization mechanism. log file:

Closes the current active log file.
Renames the current active log file.
Creates a new active log file with the default name.

Notes:

By default, this command switches the active Security log file - $FWDIR/log/fw.log
You can specify to switch the active Audit log file - $FWDIR/log/fw.adtlog

Important You can run this command in the Expert mode or in Gaia Clish The name of the default command line shell in Check Point Gaia operating system. This is a restricted shell (role-based administration controls the number of commands available in the shell). (Gaia Check Point security operating system that combines the strengths of both SecurePlatform and IPSO operating systems. gClish on Scalable Platforms).

Syntax

fw [-d] logswitch

[-audit] [<Name of Switched Log>]

-h <Target> [[+ | -]<Name of Switched Log>]

Parameters

Parameter

Description

-d

Runs the command in debug mode.

Use only if you troubleshoot the command itself.

Best Practice - If you use this parameter, then redirect the output to a file, or use the script command to save the entire CLI session.

-audit

Specifies to switch the active Audit log file ($FWDIR/log/fw.adtlog).

You can use this parameter only on a Management Server Check Point Single-Domain Security Management Server or a Multi-Domain Security Management Server..

-h <Target>

Specifies the remote server, on which to switch the log.

Notes:

The local and the remote servers must have established SIC Secure Internal Communication. The Check Point proprietary mechanism with which Check Point computers that run Check Point software authenticate each other over SSL, for secure communication. This authentication is based on the certificates issued by the ICA on a Check Point Management Server. trust.
The local server can be a Security Management Server Dedicated Check Point server that runs Check Point software to manage the objects and policies in a Check Point environment within a single management Domain. Synonym: Single-Domain Security Management Server., a Log Server Dedicated Check Point server that runs Check Point software to store and process logs..
The remote server can be a Security Gateway Dedicated Check Point server that runs Check Point software to inspect traffic and enforce Security Policies for connected network resources., a Log Server, or a Security Management Server in High Availability A redundant cluster mode, where only one Cluster Member (Active member) processes all the traffic, while other Cluster Members (Standby members) are ready to be promoted to Active state if the current Active member fails. In the High Availability mode, the Cluster Virtual IP address (that represents the cluster on that network) is associated: (1) With physical MAC Address of Active member (2) With virtual MAC Address. Synonym: Active/Standby. Acronym: HA. deployment.
You can specify the remote managed server by its main IP address or Object Name as configured in SmartConsole Check Point GUI application used to manage a Check Point environment - configure Security Policies, configure devices, monitor products and events, install updates, and so on..

<Name of Switched Log>

Specifies the name of the switched log file.

Notes:

If you do not specify this parameter, then a default name is:

<YYYY-MM-DD_HHMMSS>.log

<YYYY-MM-DD_HHMMSS>.adtlog

For example, 2018-03-26_174455.log
If you specify the name of the switched log file, then the name of the switch log file is:

<Specified_Log_Name>.log

<Specified_Log_Name>.adtlog
The log switch operation fails if the specified name for the switched log matches the name of an existing log file.
The maximum length of the specified name of the switched log file is 230 characters.

+

Specifies to copy the active log from the remote server to the local server.

Notes:

If you specify the name of the switched log file, you must write it immediately after this + (plus) parameter.
The command copies the active log from the remote server and saves it in the $FWDIR/log/ directory on the local server.
The default name of the saved log file is:

<Gateway_Object_Name>__<YYYY-MM-DD_HHMMSS>.log

For example, MyGW__2018-03-26_174455.log
If you specify the name of the switched log file, then the name of the saved log file is:

<Gateway_Object_Name>__<Specified_Log_Name>.log
When this command copies the log file from the remote server, it compresses the file.

-

Specifies to transfer the active log from the remote server to the local server.

Notes:

The command saves the copied active log file in the $FWDIR/log/ directory on the local server and then deletes the switched log file on the remote server.
If you specify the name of the switched log file, you must write it immediately after this - (minus) parameter.
The default name of the saved log file is:

<Gateway_Object_Name>__<YYYY-MM-DD_HHMMSS>.log

For example, MyGW__2018-03-26_174455.log
If you specify the name of the switched log file, then the name of the saved log file is:

<Gateway_Object_Name>__<Specified_Log_Name>.log
When this command transfers the log file from the remote server, it compresses the file.
As an alternative, you can use the fw fetchlogs command.

Compression

When this command transfers the log files from the remote server, it compresses the file with the gzip command (see RFC 1950 to RFC 1952 for details). The algorithm is a variation of LZ77 method. The compression ratio varies with the content of the log file and is difficult to predict. Binary data are not compressed. Text data, such as user names and URLs, are compressed.