topic Re: Packet leaves firewall, but doesnt reach peer device in Firewall and Security Management

Packet leaves firewall, but doesnt reach peer device

bsb — Sun, 17 Nov 2019 14:53:26 GMT

Hi,

Below is the scenario

Checkpoint ( 3 subnets) ------ > Symantec decrypter (2 subnets reaches, 3rd subnet doesnt reach).

Above devices are connected back to back, initially there are subnet with /27 routed between these two devices, post ip exhaust , one more /27 was added.

traffic reaches from checkpoint to symantec decrytor device, now second subnet is also exhausted.

now we are planning with 3 rd subnet in symantec side.

we could see packet leaving checkpoint exit interface through fwmonitor, but there is no received packets in packet capture of ssl decryptor.

Is there an alternate option to check packet leaving checkpoint other than fwmonitor or tcpdump.

thanks

BSB

Re: Packet leaves firewall, but doesnt reach peer device

Nick_Doropoulos — Sun, 17 Nov 2019 15:39:35 GMT

Hello,

One other tool for packet captures is CPPCAP as described in sk141412. In addition, you can correlate the captured output with that of the logs.

Can I confirm we are dealing with an IPSec site-to-site VPN here? If not, please elaborate on the topology in question.

Thanks.

Re: Packet leaves firewall, but doesnt reach peer device

Timothy_Hall — Sun, 17 Nov 2019 22:09:16 GMT

Seeing the packet hit capture point O in fw monitor just means it is leaving the Check Point code heading for the egress interface in Gaia. Use tcpdump with the -e option to see the destination MAC address of the problematic traffic and verify that the packet is actually leaving. If you don't see it leaving, run fw ctl zdebug drop to see why, my guess would be outbound antispoofing enforcement or you've got some kind of problem with inconsistently applied subnet masks for the new subnet.

If it is the same destination MAC as for subnet traffic that is working, it is not a firewall problem. If the destination MAC is wrong that would explain why it is not showing up at the next hop as the switch will not forward it to that port.

Re: Packet leaves firewall, but doesnt reach peer device

Maarten_Sjouw — Mon, 18 Nov 2019 08:44:00 GMT

When you try to ping an IP from the new range, as it now should be enabled on the Symantec, do you get a reply? If not do you see an arp for any of the IP's in that range, I presume you have a route for the new range pointing to the Symantec?