KB Article | Forcepoint Support

Problem Description

Environment

Security Management Center (SMC) 5.x
Next Generation Firewall (NGFW) 5.x

Problem

After you restore a Management Server or Log Server backup, you observe in the Management Client that engine monitoring no longer works. In the System Status view, the main engine element is Red. When you expand this element, the node element is Gray (in timeout state).

No logs can be seen in the Management Client from these engines, but the engines are still processing traffic normally.

When you check the Log Server internal traces from latest /tmp/LOGSRV_ text file, you see errors similar to: 

E!com.stonesoft.certificates ERROR [2015-03-12 12:27:21,485] [HandshakeCompletedNotify-Thread] [] {}
M![[Invalid Certificate Serial Number]

[validType=true]
[validSerial=false]
[component type in the store:CN=StoneGate firewall node,O=Stonesoft Corporation]
[received component type :CN=StoneGate firewall node,O=Stonesoft Corporation]
[serial number in the store:4296]
[received serial number:4240]

Resolution

Cause

The connection between engine and Log Server has failed, affecting both the engine monitoring and logs that are sent through that connection.

Certificate serial numbers are used as a revocation mechanism. This mechanism is based on the certificate serial number. The latest known serial number is stored on the Log Server, and SMC expects to see this latest version. When you restore an old backup and some components have been re-certified, a serial number mismatch can occur, causing the connection between the engine and Log Server to fail.

From the Log Server internal traces:
 
[serial number in the store:4296]
[received serial number:4240]

Solution

IMPORTANT: If you do not see the listed errors in the internal traces, do not apply the following solution. Your issue with the Log Server has an alternative cause, and you should open a support case instead.

After confirming through the internal traces that this issue applies to you, resolve the issue by deleting the Log Server certificate cache file: <smc install dir>/data/datalogserver/certificateinfo.db.
 

Article Feedback



Thank you for the feedback and comments.