topic Re: Drops between the Security Gateway and the Management Server in Firewall and Security Management

Drops between the Security Gateway and the Management Server

Hllrdm — Thu, 02 Dec 2021 13:55:05 GMT

We have a large number of drops between security cluster members (regardless of gateway activity) and the management server on various UDP ports.

The following services have been added to the allow rule: icmp-request, ssh,FIBMGR.
We observe drops on Clean up rules.

We tried entering the #fw ctl command set int fwha_forw_packet_to_not_active 1, but no result.

We observe that the Security Gateways access on different ports.
Is this expected Check Point behavior or not? Is there any information available on this problem?

Re: Drops between the Security Gateway and the Management Server

the_rock — Thu, 02 Dec 2021 14:06:49 GMT

If you have a rule to allow the traffic, no, its not normal There is good command you can run fw up_execute src=x.x.x.x dst=y.y.y.y ipp=0

This would show you whether traffic is indeed permitted. Is it new behavior or it happened before?

Re: Drops between the Security Gateway and the Management Server

Hllrdm — Thu, 02 Dec 2021 14:22:30 GMT

hello!

We have icmp-request, ssh,FIBMGR.

We have an allow rule for icmp-request, ssh,FIBMGR. That is, Check Point correctly handles drops because UDP ports are not allowed by a rule. It is not clear to us why the Security Gateways are sending udp packets to the management server.

The problem may have been there before, we just discovered it recently.

Re: Drops between the Security Gateway and the Management Server

Hllrdm — Thu, 02 Dec 2021 14:29:49 GMT

Regarding the command, we get the message that no command was found:
Unknown command "src=10.x.x.x."

Re: Drops between the Security Gateway and the Management Server

the_rock — Thu, 02 Dec 2021 14:37:16 GMT

So say you want to see that command between IPs 1.1.1.1 and 2.2.2.2, you do this:

fw up_execute src=1.1.1.1 dst=2.2.2.2 ipp=0

IPP is for IP protocol, that can be any

https://sc1.checkpoint.com/documents/R81/WebAdminGuides/EN/CP_R81_CLI_ReferenceGuide/Topics-CLIG/FWG/fw-up_execute.htm

Is it possible that traffic is being sent to mgmt server due to implied rule? Can you see it in the logs?

Andy

Re: Drops between the Security Gateway and the Management Server

Hllrdm — Thu, 02 Dec 2021 14:38:09 GMT

Hello!

We have icmp-request, ssh,FIBMGR.

The problem may have been there before, we just discovered it recently.

Regarding the mistake in the team. The error repeats in expert mode.

Re: Drops between the Security Gateway and the Management Server

the_rock — Thu, 02 Dec 2021 14:45:08 GMT

Message me directly, lets do remote later in the afternoon if you are free? Im in EST, what time zone are you in?

Re: Drops between the Security Gateway and the Management Server

Hllrdm — Thu, 02 Dec 2021 14:46:45 GMT

GMT+3
Our company policy does not allow remote connection sessions, so we cannot show you the problem.

Re: Drops between the Security Gateway and the Management Server

the_rock — Thu, 02 Dec 2021 14:50:57 GMT

Ok, I totally understand. So here is where I would start myself. Look at the logs and see if there are any logs for implied rules regarding this. If not, and regular logs still show you the same, do tcpdump and/or fw monitor

tcpdump -nni any host x.x.x.x

fw monitor -e "accept host(x.x.x.x) and port(x);"

fw monitor -F 'x.x.x.x,0,y.y.y.y,0,0' -F 'y.y.y.y,0,x.x.x.x,0,0'

Captures will ALWAYS tell you where/why the problem happens, 100%.

Re: Drops between the Security Gateway and the Management Server

Hllrdm — Thu, 02 Dec 2021 14:53:41 GMT

We have already collected dumps, but unfortunately we have not found any useful information.

1. [expert@:0]# tcpdump -i any src 10.х.х.х. (fw) and dst 10.x.x.x (mgmt)
tcpdump: WARNING: Promiscuous mode not supported on the "any" device
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on any, link-type LINUX_SLL (Linux cooked), capture size 96 bytes

command output is empty

2. [expert@:0]# fw ctl zdebug + drop | grep 10.x.x.x. (fw)
;[cpu_1];[fw4_0];fw_log_drop_ex: Packet proto=17 10.x.x.x:18234 -> 10.x.x.x:21771 dropped by fw_handle_first_packet Reason: Rulebase drop - rule 30;

Re: Drops between the Security Gateway and the Management Server

the_rock — Thu, 02 Dec 2021 14:57:37 GMT

Something makes no sense there. If you run tcpdump between fw and mgmt server, you have to see some traffic. Can you send exact command you ran?

Re: Drops between the Security Gateway and the Management Server

RS_Daniel — Thu, 02 Dec 2021 15:48:54 GMT

Hello @Hllrdm ,

Port 18234/UDP is used by vpn blade for tunnel_test protocol. It seems to me that someone is sending tunnel_test packets to your firewall and the reply packets are being dropped, it should not happen between gateway and management AFAIK, but i think maybe a NAT rule is changing dest ip address and we are not seeing entire picture. You can check tunnel test packets on your firewall to find who is generating this traffic and if there is some nat involved:

fw monitor -e "port(18234),accept;"

I would disable acceleration before doing the capture, this will give you more information to continue the tshoot. HTH.

Regards