topic Re: Reverse HTTPS traffic is getting dropped on Checkpoint Gateway in Firewall and Security Management

Reverse HTTPS traffic is getting dropped on Checkpoint Gateway

SurajGaikwad — Thu, 03 Nov 2022 07:07:02 GMT

Hi Team,

We are facing issue where reverse https traffic from destination to source is being dropped.

Below example FYI

*****Forward Traffic******

Source:10.10.10.10 (source is behind gateway 1)

Source port: Random (52437)

Destination: 20.20.20.20 (Destination is behind gateway 2)

Destination port: 443

Traffic is getting allowed on both Gateway

*****Reverse Traffic******

Source: 20.20.20.20 (Destination is behind gateway 2)

Source port: 443

Destination: 10.10.10.10 (source is behind gateway 1)

Destination port: Random (52437) --->Same Random Port which observed in forward traffic

Traffic is getting dropped on gateway 2

**********************

This is unexpected behavior in stateful firewall,

Any thoughts on why this is happening , and what could be solution?

Re: Reverse HTTPS traffic is getting dropped on Checkpoint Gateway

_Val_ — Wed, 02 Nov 2022 15:15:16 GMT

What does the drop log say?

For TCP 443 you do not need two rules, one should be enough. Also, what about NAT?

Re: Reverse HTTPS traffic is getting dropped on Checkpoint Gateway

SurajGaikwad — Thu, 03 Nov 2022 06:44:10 GMT

Hello _Val_

Thanks for reply.

Zdebug Drop logs says "dropped by fw_send_log_drop Reason: Rulebase drop". Same observed in smartconsole logs, traffic is getting dropped by default cleanup rule.

Nating is not enabled for both source and destination.

Re: Reverse HTTPS traffic is getting dropped on Checkpoint Gateway

emmap — Thu, 03 Nov 2022 06:55:38 GMT

Do you see accept logs for forward traffic on both gateways, and which gateway is logging the drop?

Re: Reverse HTTPS traffic is getting dropped on Checkpoint Gateway

SurajGaikwad — Thu, 03 Nov 2022 07:11:01 GMT

Hello emmap,

Yes can see accept logs for forward traffic on both gateways.

Drop log is observed on first gateway of return traffic (gateway 2 as explain in question)

Re: Reverse HTTPS traffic is getting dropped on Checkpoint Gateway

_Val_ — Thu, 03 Nov 2022 07:19:01 GMT

This does not make much sense. Check for asymmetric routing.

Re: Reverse HTTPS traffic is getting dropped on Checkpoint Gateway

PhoneBoy — Thu, 03 Nov 2022 13:32:29 GMT

Please provide screenshots of both the accept and drop logs (masking sensitive data).

Re: Reverse HTTPS traffic is getting dropped on Checkpoint Gateway

SurajGaikwad — Fri, 04 Nov 2022 13:42:06 GMT

Hello PhoneBoy,

Attached accept and drop logs where forward traffic is accepted and reverse traffic is dropped

Re: Reverse HTTPS traffic is getting dropped on Checkpoint Gateway

PhoneBoy — Fri, 04 Nov 2022 15:13:46 GMT

Please provide the full log card for each log entry.

Re: Reverse HTTPS traffic is getting dropped on Checkpoint Gateway

SurajGaikwad — Tue, 08 Nov 2022 11:37:17 GMT

attached full log card.

Also let me know is return traffic visible in smartconsole logs.. if forward traffic is accepted.

Re: Reverse HTTPS traffic is getting dropped on Checkpoint Gateway

PhoneBoy — Tue, 08 Nov 2022 13:31:19 GMT

I’m not seeing the “origin” field on these log entries (I.e. the gateway that is actually logging these packets).
Have you confirmed the same gateway that is allowing the traffic is actually blocking it?