topic Re: What is the expected traffic in a packet capture for Checkpoint High Avalibility? in Firewall and Security Management

What is the expected traffic in a packet capture for Checkpoint High Avalibility?

Jamesbondjr007x — Wed, 10 Jul 2019 20:38:26 GMT

While working on a issue I noticed this on a wireshark packet capture on my Nexus 9000 switch is connected to a 15400 XL running Gaia 80.33 (whatever the current version is). There are two 15400 XL in one DC1 and 2 in DC2. The 4 are all clustered together for the VSS. The 192.168.xxx.xx is checkpoint's "internal switch" address. My question is should I be seeing these messages sent to the switchport that is connected to the firewall? The port that is connected to the firewall from the Nexus is for multicast traffic. I did a packet capture in our QA environment which is a mirror of our production with the exception of there are only 2 15400 XL and I don't see these messages below. Is this a mis- configuration of the Firewall High Availability being sent to the Nexus connecting port?

2019-07-10 15:34:26.154998 0.0.0.0 -> 192.168.xxx.xx CPHA CPHAv3223: FWHA_MY_STATE
2019-07-10 15:34:26.155007 0.0.0.0 -> 0.0.0.0 CPHA CPHAv3223: FWHA_IFCONF_REQ
2019-07-10 15:34:26.155010 0.0.0.0 -> 0.0.0.0 CPHA CPHAv3223: FWHA_IFCONF_REQ
2019-07-10 15:34:26.155013 0.0.0.0 -> 0.0.0.0 CPHA CPHAv3223: FWHA_IFCONF_REQ

Re: What is the expected traffic in a packet capture for Checkpoint High Avalibility?

PhoneBoy — Mon, 15 Jul 2019 05:26:29 GMT

Check Point's sync traffic is multicast by default.
While the actual connection sync data goes over the sync network, probes do go out over each connected interface.
This is to verify cluster members can reach each other on every interface.
I haven't seen what this traffic looks like in R80.30 to verify what you're seeing is correct.

Re: What is the expected traffic in a packet capture for Checkpoint High Avalibility?

PhoneBoy — Tue, 16 Jul 2019 23:44:55 GMT

Just to correct myself, R80.20 and above, the default sync traffic is unicast, not multicast.
CCP packets should appear on all "clustered" interfaces.

Re: What is the expected traffic in a packet capture for Checkpoint High Avalibility?

Maarten_Sjouw — Wed, 17 Jul 2019 05:25:18 GMT

The default is indeed Unicast for this traffic, unless the gateways were upgraded, then the previous state is just copied and left alone.

Re: What is the expected traffic in a packet capture for Checkpoint High Avalibility?

Jamesbondjr007x — Wed, 17 Jul 2019 19:15:10 GMT

I want to thank you for the responses. My question was is not if its unicast or multicast. It was if what I pasted in the original posting is what should be occuring on connected interfaces to the firewall. As I stated I do not see that in our QA environment with the same code and chassis.

Re: What is the expected traffic in a packet capture for Checkpoint High Avalibility?

PhoneBoy — Thu, 18 Jul 2019 08:08:34 GMT

CCP packets should be appearing on all "Clustered" interfaces, as I said previously.
If you're not seeing them, it's because the configuration of the Cluster object is different with respect to the interfaces in your QA environment.