topic Re: CCP drop packets in R81 in Firewall and Security Management

CCP drop packets in R81

Ramasubramaniya — Wed, 20 Oct 2021 17:22:28 GMT

Hi Team,

We are in a progress of migrating the Checkpoint hardware from 4400 to 6600.

Old hardware is running on R77.30 and new hardware is already upgraded to R81.

Old hardware running with VRRP Cluster

New hardware running with ClusterXL

Both hardware are connecting on same switch

But the new Firewall cluster is experiencing the below error message.

@;162960;[vs_0];[tid_3];[fw4_3];fw_log_drop_ex: Packet proto=17 0.0.0.0:8116 -> 10.0.0.0:8116 dropped by fw_send_log_drop Reason: Rulebase drop - on layer "Network" rule 781;
@;162960;[vs_0];[tid_0];[fw4_0];fw_log_drop_ex: Packet proto=17 0.0.0.0:8116 -> 10.0.0.0:8116 dropped by fw_send_log_drop Reason: Rulebase drop - on layer "Network" rule 781;
@;162960;[vs_0];[tid_1];[fw4_1];fw_log_drop_ex: Packet proto=17 0.0.0.0:8116 -> 10.0.0.0:8116 dropped by fw_send_log_drop Reason: Rulebase drop - on layer "Network" rule 781;
@;162960;[vs_0];[tid_2];[fw4_2];fw_log_drop_ex: Packet proto=17 0.0.0.0:8116 -> 10.0.0.0:8116 dropped by fw_send_log_drop Reason: Rulebase drop - on layer "Network" rule 781;
@;162961;[vs_0];[tid_3];[fw4_3];fw_log_drop_ex: Packet proto=17 0.0.0.0:8116 -> 10.0.0.0:8116 dropped by fw_send_log_drop Reason: Rulebase drop - on layer "Network" rule 781;
@;162961;[vs_0];[tid_0];[fw4_0];fw_log_drop_ex: Packet proto=17 0.0.0.0:8116 -> 10.0.0.0:8116 dropped by fw_send_log_drop Reason: Rulebase drop - on layer "Network" rule 781;
@;162961;[vs_0];[tid_1];[fw4_1];fw_log_drop_ex: Packet proto=17 0.0.0.0:8116 -> 10.0.0.0:8116 dropped by fw_send_log_drop Reason: Rulebase drop - on layer "Network" rule 781;
@;162961;[vs_0];[tid_2];[fw4_2];fw_log_drop_ex: Packet proto=17 0.0.0.0:8116 -> 10.0.0.0:8116 dropped by fw_send_log_drop Reason: Rulebase drop - on layer "Network" rule 781;

Re: CCP drop packets in R81

the_rock — Wed, 20 Oct 2021 18:26:45 GMT

Is that implicit clean up rule number 781?

Re: CCP drop packets in R81

Ramasubramaniya — Thu, 21 Oct 2021 05:14:23 GMT

Yes it is a implicit deny rule

Re: CCP drop packets in R81

HristoGrigorov — Thu, 21 Oct 2021 05:40:23 GMT

@Ramasubramaniya You don't happen to have implied rules disabled ?

Re: CCP drop packets in R81

Ramasubramaniya — Thu, 21 Oct 2021 07:52:44 GMT

You mean to Disable the implied rule?

We kept it to log the traffic getting denied on the firewall, and it's really important for troubleshooting

Re: CCP drop packets in R81

HristoGrigorov — Thu, 21 Oct 2021 07:55:38 GMT

No, I was asking if Implied Rules are already disabled. If they are enabled leave them like that; problem is somewhere else.

Re: CCP drop packets in R81

the_rock — Thu, 21 Oct 2021 12:00:58 GMT

You may wish to engage TAC, because to me, if you think about it logically, since I am pretty sure your rule base had not changed, there is no reason why this would be happening. I get its clusterXL instead of VRRP, but still. So based on the drop, it shows its UDP protocol and port 8116, which is clustering, so one thing I would try to do it maybe quickly just run zdebug only for port 8116 and also fw monitor for that specific port and see what you get.

Andy

Re: CCP drop packets in R81

Ramasubramaniya — Thu, 21 Oct 2021 15:28:32 GMT

Anyone please help on this topic

Re: CCP drop packets in R81

the_rock — Thu, 21 Oct 2021 15:30:35 GMT

You may want to open support case, because this would need some more in depth troubleshooting, for sure.

Re: CCP drop packets in R81

KostasGR — Fri, 22 Oct 2021 13:43:55 GMT

Hello

I think you are matching sk132672

BR,
Kostas

Re: CCP drop packets in R81

the_rock — Fri, 22 Oct 2021 13:50:38 GMT

Very good point Kostas!

Re: CCP drop packets in R81

Yair_Shahar — Sun, 31 Oct 2021 09:46:30 GMT

Hi,

Did sk132672 help you to resolve this issue?

Yair

Re: CCP drop packets in R81

Ramasubramaniya — Mon, 01 Nov 2021 00:48:13 GMT

Hi Team,

Thanks a lot for the kind replies. I tried sk132672 but does not help in my case.

As i already said the switch is connected with Current R81 Cluster and the R77.30 VRRP Cluster.

I lately realized this packets are coming from VRRP cluster since the Cluster mode is Mutlicast in the R77.30 Cluster.

I confirmed this by capturing packet on the R77.30 cluster and found same 0.0.0.0:8116 -> 10.0.0.0:8116 packets are exchanging over there.

So it's good say it's our design issue. Once again thanks all for the recommendations, much appreciated.

Ram T S