topic Re: Packet Analysing in Firewall and Security Management

Packet Analysing

gemechisd — Sat, 15 Jun 2024 05:40:36 GMT

Hello All,

We have faced an issue for one of our services we have from DMZ Zone to Internal. The issue is that from 100 requests sent to the internal server some requests getting a response within 2-4 minutes. But the fast ones will get with 2 seconds. And we have tried bypassing our checkpoint firewall and all 100 requests gets a response every 2 seconds. We have checked on our checkpoint rule but can't find thing. Below is a packet capture from different servers. If someone can help in finding the differences between the captures.

Re: Packet Analysing

the_rock — Fri, 14 Jun 2024 17:20:59 GMT

I will download and have a look. Can you please indicate src and dst IP?

Andy

Re: Packet Analysing

gemechisd — Fri, 14 Jun 2024 17:24:21 GMT

@the_rock

Thanks for the quick reply. All SRC & DST IP's are on the captured packets.

Re: Packet Analysing

the_rock — Fri, 14 Jun 2024 17:25:51 GMT

K, sounds good! Just finishing up an Azure lab, will check soon.

Andy

Re: Packet Analysing

the_rock — Fri, 14 Jun 2024 17:36:14 GMT

I checked few streams and to me, appears server is NOT sending syn-ack, which it should

Andy

Re: Packet Analysing

gemechisd — Fri, 14 Jun 2024 17:39:55 GMT

Okay. Thanks.

May be can you check the one named with Server2 and server 2 - retried

Re: Packet Analysing

the_rock — Fri, 14 Jun 2024 17:41:04 GMT

Of course I can. I got a call in 20 mins, but can also check it while on that call, but let me do it now.

Andy

Re: Packet Analysing

the_rock — Fri, 14 Jun 2024 17:47:40 GMT

Well, one seems worse, as it shows syn and syn-ack absent. The send one is the same.

Maybe do capture like this, dont output into a file and see what you get

Idea is (srcip,srcport,dstip,dstport, protocol),

So, in your case, lets say port is 443, lets pretend ip's are 1.1.1.1 and 2.2.2.2

fw monitor -F "1.1.1.1,0,2.2.2.2,443,0" -F "2.2.2.2,0,1.1.1.1,443,0"

Andy

You can also do zdebug as below, just replace with right IPs

fw ctl zdebug + drop | grep x.x.x.x | grep y.y.y.y

fw ctl debug 0 to turn off debugs

Re: Packet Analysing

gemechisd — Fri, 14 Jun 2024 18:00:56 GMT

so, which server is not sending proper ack/syn messages?

And what do you suggest

Re: Packet Analysing

the_rock — Fri, 14 Jun 2024 18:05:40 GMT

I cant recall now, can check again soon. Do you have working capture?

Re: Packet Analysing

gemechisd — Fri, 14 Jun 2024 18:07:23 GMT

right now not. but i can do early morning

Re: Packet Analysing

the_rock — Fri, 14 Jun 2024 19:10:55 GMT

Just finished my call, let me check again.

Andy

Re: Packet Analysing

the_rock — Fri, 14 Jun 2024 19:36:16 GMT

Every packet I check, you see this.

Andy

Re: Packet Analysing

gemechisd — Sat, 15 Jun 2024 11:38:54 GMT

@the_rock
I have executed fw ctl zdebug + drop | grep x.x.x.x | grep y.y.y.y during the capture by replacing the IP's, but there is no rule that can drop this connection.

Re: Packet Analysing

gemechisd — Sat, 15 Jun 2024 11:40:51 GMT

@the_rock

Is it possible to only allow the access on Network only. I mean with out Application and URL for this specific rule.

Re: Packet Analysing

the_rock — Sat, 15 Jun 2024 11:44:20 GMT

Yes, 100%. If you have say 2 ordered layers, just make sure its allowed on both, but 2nd layer can have any any allow at the bottom, but be configured for urlf+app blades.

Andy

Re: Packet Analysing

gemechisd — Sat, 15 Jun 2024 13:06:06 GMT

Ok. We have suspected that if there is any URL/Application control is blocking it. And If there is any filtering on it.

As I told you yesterday when we do the capture from campus network (Bypassing Checkpoint) all requests are getting the response with in seconds. Sample is 100 request

Re: Packet Analysing

the_rock — Sat, 15 Jun 2024 13:07:36 GMT

Here is good reference for the layered rules. I have real good document I made about it, but its on my work laptop, so can send tomorrow.

Andy

All you need to remember is this...IF there are multiple ordered layers, traffic has to be accepted on ALL of them.

https://community.checkpoint.com/t5/General-Topics/What-is-the-point-of-ordered-layers-for-Accept-rules/m-p/200008

Re: Packet Analysing

the_rock — Sat, 15 Jun 2024 13:13:46 GMT

If you send a screenshot oh how policy layers are configured, I can tell you if something is wrong. Just blur out any sensitive details.

Re: Packet Analysing

the_rock — Sat, 15 Jun 2024 17:24:50 GMT

Hey mate,

Since Im just watching some Euro cup football (or as our American friends call it soccer (well us Canadians too : - ), which I think is incorrect, as you play it with your feet lol), but anyway, cheering for Croatia, which is getting destroyed by Spain, as they are closest to where I grew up, Montenegro, and we did not even qualify, since we SUCK lol

Anywho, I attached a document with layred rules examples from my lab. If you need help or not clear, let me know, we can do remote session.

Best,

Andy