https://community.checkpoint.com/t5/Firewall-and-Security-Management/Could-not-find-the-exact-source-IP-behind-of-the-Checkpoint/m-p/206955#M39280 <P>Sorry, I cant see the attachment...can you paste the diagram?</P> Fri, 23 Feb 2024 02:03:15 GMT the_rock 2024-02-23T02:03:15Z https://community.checkpoint.com/t5/Firewall-and-Security-Management/Could-not-find-the-exact-source-IP-behind-of-the-Checkpoint/m-p/206944#M39277 <P>Hello Everyone!</P><P>Currently we are facing a rather confusing problem as follows:</P><P>1. We have 1 pair of Checkpoint devices and 2 pairs of other vendor's Fw devices connected as shown in the attached image.</P><P>2.&nbsp;We use a host with IP 10.0.33.100 located behind the Checkpoint device to access the service on Fw1, traffic goes through a Switch device in the middle. Then we are login to Fw1 device and check the logs on Fw1, we can see source IP 10.0.33.100 connected.</P><P>3.&nbsp;We use hosting with IP 10.0.33.100 located behind the Checkpoint device to access the service on Fw2, traffic goes through two Switch devices in the middle. Then we log in to the Fw2 device and check the log on Fw2, we can only see the source IP is Checkpoint's administrative IP, in addition we cannot find any other source IP.</P><P>Has anyone had any problems?</P> Fri, 23 Feb 2024 01:40:19 GMT https://community.checkpoint.com/t5/Firewall-and-Security-Management/Could-not-find-the-exact-source-IP-behind-of-the-Checkpoint/m-p/206944#M39277 MarcuzShinz 2024-02-23T01:40:19Z https://community.checkpoint.com/t5/Firewall-and-Security-Management/Could-not-find-the-exact-source-IP-behind-of-the-Checkpoint/m-p/206950#M39278 <P>If you have exact source and dst IP, have you tred running fw monitor to see what happens with the traffic?</P> <P>Best,</P> <P>Andy</P> <P>also, if say dst is 1.1.1.1 (just replace with right IP), run ip r g 1.1.1.1 from expert mode to see if its taking the correct route.</P> <P>Andy</P> Fri, 23 Feb 2024 01:48:06 GMT https://community.checkpoint.com/t5/Firewall-and-Security-Management/Could-not-find-the-exact-source-IP-behind-of-the-Checkpoint/m-p/206950#M39278 the_rock 2024-02-23T01:48:06Z https://community.checkpoint.com/t5/Firewall-and-Security-Management/Could-not-find-the-exact-source-IP-behind-of-the-Checkpoint/m-p/206953#M39279 <P>Traffic when passing through the checkpoint we checked to see that it was on the right route. On the checkpoint we can clearly see the source and dst.</P><P>However, as I mentioned, when traffic from a host located behind the checkpoint accesses a host located behind device fw1 through 1 Switch device as shown in the picture I attached, then when we log in to device fw1 and check, we can easily see source is the IP of the host behind the Checkpoint.</P><P>However, when traffic from a host located behind the checkpoint accesses a host located behind the fw2 device through 2 Switch device as shown in the picture I attached, then when we log in to the fw2 device and check, we Only seeing the source is the administrative IP of the checkpoint update.</P><P>&nbsp;</P> Fri, 23 Feb 2024 01:53:11 GMT https://community.checkpoint.com/t5/Firewall-and-Security-Management/Could-not-find-the-exact-source-IP-behind-of-the-Checkpoint/m-p/206953#M39279 MarcuzShinz 2024-02-23T01:53:11Z https://community.checkpoint.com/t5/Firewall-and-Security-Management/Could-not-find-the-exact-source-IP-behind-of-the-Checkpoint/m-p/206955#M39280 <P>Sorry, I cant see the attachment...can you paste the diagram?</P> Fri, 23 Feb 2024 02:03:15 GMT https://community.checkpoint.com/t5/Firewall-and-Security-Management/Could-not-find-the-exact-source-IP-behind-of-the-Checkpoint/m-p/206955#M39280 the_rock 2024-02-23T02:03:15Z https://community.checkpoint.com/t5/Firewall-and-Security-Management/Could-not-find-the-exact-source-IP-behind-of-the-Checkpoint/m-p/206959#M39281 <DIV class="">&nbsp;</DIV><P><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="2024-02-23_082926.png" style="width: 999px;"><img src="https://community.checkpoint.com/t5/image/serverpage/image-id/24624i0FEA6050547CFF31/image-size/large?v=v2&amp;px=999" role="button" title="2024-02-23_082926.png" alt="2024-02-23_082926.png" /></span></P> Fri, 23 Feb 2024 02:08:46 GMT https://community.checkpoint.com/t5/Firewall-and-Security-Management/Could-not-find-the-exact-source-IP-behind-of-the-Checkpoint/m-p/206959#M39281 MarcuzShinz 2024-02-23T02:08:46Z https://community.checkpoint.com/t5/Firewall-and-Security-Management/Could-not-find-the-exact-source-IP-behind-of-the-Checkpoint/m-p/206960#M39282 <P>K, I see it now, ty. Just to make sure, these are 2 single firewalls managede by the same mgmt server?</P> <P>Best,</P> <P>Andy</P> Fri, 23 Feb 2024 02:27:20 GMT https://community.checkpoint.com/t5/Firewall-and-Security-Management/Could-not-find-the-exact-source-IP-behind-of-the-Checkpoint/m-p/206960#M39282 the_rock 2024-02-23T02:27:20Z https://community.checkpoint.com/t5/Firewall-and-Security-Management/Could-not-find-the-exact-source-IP-behind-of-the-Checkpoint/m-p/206964#M39283 <P>We only have 1 pair of checkpoints configured in Cluster with separate management components.</P><P>And fw1 and fw2 are two pairs of firewalls from another vendor.</P> Fri, 23 Feb 2024 02:39:50 GMT https://community.checkpoint.com/t5/Firewall-and-Security-Management/Could-not-find-the-exact-source-IP-behind-of-the-Checkpoint/m-p/206964#M39283 MarcuzShinz 2024-02-23T02:39:50Z https://community.checkpoint.com/t5/Firewall-and-Security-Management/Could-not-find-the-exact-source-IP-behind-of-the-Checkpoint/m-p/206965#M39284 <P>Currently, when logging into the fw2 device to check the logs, we cannot see the exact source IP of the host behind the Checkpoint device. When done, use that host to access the services behind fw2.</P><P>We can only see the VIP IP MGMT of the Checkpoint device.</P> Fri, 23 Feb 2024 02:42:32 GMT https://community.checkpoint.com/t5/Firewall-and-Security-Management/Could-not-find-the-exact-source-IP-behind-of-the-Checkpoint/m-p/206965#M39284 MarcuzShinz 2024-02-23T02:42:32Z https://community.checkpoint.com/t5/Firewall-and-Security-Management/Could-not-find-the-exact-source-IP-behind-of-the-Checkpoint/m-p/206966#M39285 <P>K, so its a cluster, got it. Does same issue happen regardless of which fw is the active one?</P> <P>Andy</P> Fri, 23 Feb 2024 02:51:57 GMT https://community.checkpoint.com/t5/Firewall-and-Security-Management/Could-not-find-the-exact-source-IP-behind-of-the-Checkpoint/m-p/206966#M39285 the_rock 2024-02-23T02:51:57Z https://community.checkpoint.com/t5/Firewall-and-Security-Management/Could-not-find-the-exact-source-IP-behind-of-the-Checkpoint/m-p/206968#M39286 <P>The Cluster Checkpoint device run on mode active/active</P> Fri, 23 Feb 2024 02:56:27 GMT https://community.checkpoint.com/t5/Firewall-and-Security-Management/Could-not-find-the-exact-source-IP-behind-of-the-Checkpoint/m-p/206968#M39286 MarcuzShinz 2024-02-23T02:56:27Z https://community.checkpoint.com/t5/Firewall-and-Security-Management/Could-not-find-the-exact-source-IP-behind-of-the-Checkpoint/m-p/206969#M39287 <P>Did you run zdebug to see if anything is dropped?</P> Fri, 23 Feb 2024 03:00:00 GMT https://community.checkpoint.com/t5/Firewall-and-Security-Management/Could-not-find-the-exact-source-IP-behind-of-the-Checkpoint/m-p/206969#M39287 the_rock 2024-02-23T03:00:00Z https://community.checkpoint.com/t5/Firewall-and-Security-Management/Could-not-find-the-exact-source-IP-behind-of-the-Checkpoint/m-p/207044#M39288 <P>From your description it sounds like when you access fw1 the checkpoint don't perform source nat, but when you go to fw2 checkpoint do source nat.</P> <P>Did you check the logs on checkpoint for traffic to fw2 and see if indeed you have xlate src and what nat rule does it match?</P> Fri, 23 Feb 2024 17:43:36 GMT https://community.checkpoint.com/t5/Firewall-and-Security-Management/Could-not-find-the-exact-source-IP-behind-of-the-Checkpoint/m-p/207044#M39288 AmirArama 2024-02-23T17:43:36Z