https://community.checkpoint.com/t5/Firewall-and-Security-Management/Security-Gateway-dropped-some-packets/m-p/169887#M30799 <P>So, some answers:<BR /><BR />1. UDP 8116 is CCP traffic. CCP is used to monitor cluster functionality. It is not okay that CCP from NW network is leaking to i1/2/3 network. Check your router does not forward broadcast between network. If it does, see how to remove that. The issue 1 is only cosmetic, not a matter of concern though.</P> <P>2. Not clear if this is indeed a multicast, and where it comes from. Not related to setup, I believe.&nbsp;</P> <P>3. Those are high ports, some reply to TCP traffic. Show more details, especially the source ports for each, to determine the application sending this traffic.</P> <P>&nbsp;</P> Wed, 01 Feb 2023 11:15:38 GMT _Val_ 2023-02-01T11:15:38Z https://community.checkpoint.com/t5/Firewall-and-Security-Management/Security-Gateway-dropped-some-packets/m-p/169883#M30796 <P><SPAN>Dear Team,<BR /><BR />Hello,</SPAN></P><P><SPAN>We are implementing ClusterXL and Management High Availability.<BR />We have also activated Anti-Spoofing.<BR />A diagram of the network infrastructure is displayed below.</SPAN></P><P><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="2023-02-01_19h21_20.png" style="width: 400px;"><img src="https://community.checkpoint.com/t5/image/serverpage/image-id/19378i3C4570F370C9BFB4/image-size/medium?v=v2&amp;px=400" role="button" title="2023-02-01_19h21_20.png" alt="2023-02-01_19h21_20.png" /></span></P><P>Under these conditions, the Security Gateway is dropping the following packets:</P><P>i1&amp;i2 -&gt; Management NW network address (4th octet 0), UDP/8116<BR />i1&amp;i2 -&gt; 239.255.255.250, UDP/1900<BR />m3&amp;m4 -&gt; m1&amp;m2, TCP/45112 TCP/53393</P><P>The cluster configuration appears to be functioning correctly, as indicated by SmartConsole or the output of the "show cluster state" command.<BR />It is effectively executing failover procedures even after simulating failures, such as shutting down the active SG.</P><P>(Question 1) Is there an issue with this current setup?<BR />(Question 2) If there is an issue, what steps should be taken to resolve it (e.g. implementing additional firewall policies)?</P> Wed, 01 Feb 2023 10:23:43 GMT https://community.checkpoint.com/t5/Firewall-and-Security-Management/Security-Gateway-dropped-some-packets/m-p/169883#M30796 tepeeeeei 2023-02-01T10:23:43Z https://community.checkpoint.com/t5/Firewall-and-Security-Management/Security-Gateway-dropped-some-packets/m-p/169885#M30797 <P>What do the drop log entries say?</P> Wed, 01 Feb 2023 10:52:36 GMT https://community.checkpoint.com/t5/Firewall-and-Security-Management/Security-Gateway-dropped-some-packets/m-p/169885#M30797 _Val_ 2023-02-01T10:52:36Z https://community.checkpoint.com/t5/Firewall-and-Security-Management/Security-Gateway-dropped-some-packets/m-p/169886#M30798 <P><SPAN>Thank you for reply, he said</SPAN></P><P><SPAN>- i1&amp;i2 -&gt; Management NW network address (4th octet 0), UDP/8116<BR />&nbsp; -&nbsp; by rule (All DENY)</SPAN></P><P><SPAN>- i1&amp;i2 -&gt; 239.255.255.250, UDP/1900<BR /></SPAN>&nbsp; -&nbsp;IP multicast routing failed (missing OS route)</P><P><SPAN>- m3&amp;m4 -&gt; m1&amp;m2, TCP/45112 TCP/53393<BR />&nbsp; -&nbsp;TCP packet out of state:&nbsp;TCP packet out of state<BR />&nbsp; -&nbsp;TCP Flags: PUSH-ACK<BR /></SPAN></P> Wed, 01 Feb 2023 11:00:22 GMT https://community.checkpoint.com/t5/Firewall-and-Security-Management/Security-Gateway-dropped-some-packets/m-p/169886#M30798 tepeeeeei 2023-02-01T11:00:22Z https://community.checkpoint.com/t5/Firewall-and-Security-Management/Security-Gateway-dropped-some-packets/m-p/169887#M30799 <P>So, some answers:<BR /><BR />1. UDP 8116 is CCP traffic. CCP is used to monitor cluster functionality. It is not okay that CCP from NW network is leaking to i1/2/3 network. Check your router does not forward broadcast between network. If it does, see how to remove that. The issue 1 is only cosmetic, not a matter of concern though.</P> <P>2. Not clear if this is indeed a multicast, and where it comes from. Not related to setup, I believe.&nbsp;</P> <P>3. Those are high ports, some reply to TCP traffic. Show more details, especially the source ports for each, to determine the application sending this traffic.</P> <P>&nbsp;</P> Wed, 01 Feb 2023 11:15:38 GMT https://community.checkpoint.com/t5/Firewall-and-Security-Management/Security-Gateway-dropped-some-packets/m-p/169887#M30799 _Val_ 2023-02-01T11:15:38Z https://community.checkpoint.com/t5/Firewall-and-Security-Management/Security-Gateway-dropped-some-packets/m-p/169895#M30803 <P>1. understood that it is a network problem, not Quantum.<BR />2. I don't particularly care about it.<BR />3．The source port was 257.<BR />&nbsp; It seems to be a return communication of log transmission.<BR />&nbsp; Since I am receiving logs correctly under normal circumstances, this did not seem to be a problem either.</P><P>Thank you very much for your answer!</P> Wed, 01 Feb 2023 11:51:20 GMT https://community.checkpoint.com/t5/Firewall-and-Security-Management/Security-Gateway-dropped-some-packets/m-p/169895#M30803 tepeeeeei 2023-02-01T11:51:20Z