topic Re: Endpoint blocked by Firewall in Endpoint

Endpoint blocked by Firewall

Tony_Graham — Wed, 01 Feb 2023 17:45:34 GMT

Any ideas why CP Endpoint would be blocked by the CP Firewall from contacting the update server?

I have 1 system in my environment that is getting stuffed.

The service port is 443, the destination is 209.87.211.157.

Whois reports this is ZoneAlarm.

Sometimes it bangs on range 66.110.49.114-116 which is Kaspersky.

Other times I see 3.5.8.156 which is AWS (no telling which service).

There is no SSL inspection going on and 443 outbound is allowed for the user

so it's a definite oddity.

Re: Endpoint blocked by Firewall

PhoneBoy — Wed, 01 Feb 2023 18:11:55 GMT

Make sure you’re allowing connectivity per: https://supportcenter.checkpoint.com/supportcenter/portal?eventSubmit_doGoviewsolutiondetails=&solutionid=sk116590&partition=Basic&product=Harmony
The “Check Point Services” Updatable Object includes the stuff listed here.

Re: Endpoint blocked by Firewall

the_rock — Wed, 01 Feb 2023 18:18:04 GMT

Had to actually verify that sk once with customer what @PhoneBoy gave, so definitely good starting point.

Re: Endpoint blocked by Firewall

Tony_Graham — Wed, 01 Feb 2023 18:19:18 GMT

I will look into that but why would this affect only 1 user?

Re: Endpoint blocked by Firewall

the_rock — Wed, 01 Feb 2023 18:31:22 GMT

If its only one user, then does not really sound like its fw issue, but just my logical assumption. Do you have any relevant logs from the dashboard you can attach?

Andy

Re: Endpoint blocked by Firewall

Tony_Graham — Wed, 01 Feb 2023 18:37:55 GMT

I kind of digested all the relevant details in the first post. That's all that's available to me in dashboard.

Although it looks like it's a bunch of 'First packet isn't SYN'. Again it only occurs with this one user.

Re: Endpoint blocked by Firewall

the_rock — Wed, 01 Feb 2023 18:55:50 GMT

That message needs some captures, for sure. Do fw monitor and tcpdump to see path it takes.

Re: Endpoint blocked by Firewall

Tony_Graham — Thu, 02 Feb 2023 21:32:31 GMT

I am starting to suspect it has something to do with VMware and its NAT connection.

I am going to switch that machine over to Bridged tonight and monitor it some more.

**UPDATE** The problem was with VMware. I deleted the virtual adapter and re-added it, switched to Bridged mode and the problem has gone away. As a note VMware Workstation virtual network adapters do not always upgrade correctly when there is a version change or if you ported it around. You can often find 'cruft' in the vmx files from past versions. My process is to remove the current adapter in VMware. Shut down Workstation, find the .vmx file of the VM you have issues with. Make a copy of it, then I go into the original and search on 'eth', and blast all the entries that match on 'eth' except the one related to the PCI slot number and the MAC address. Save the file, relaunch VMware Workstation, add in a new adapter for the VM and then boot it. You have to take care of any IP things inside of the VM but it will sort out any crazy Ethernet weirdness.