topic Re: No access to Internet in General Topics

No access to Internet

buridango — Sun, 30 Aug 2020 12:53:54 GMT

Hello, Everyone!

I have an issue with Check Point Security Gateway R80.10. Clients cannot access Internet resources (for example http/https web-pages), though they can ping External IPs and DNS (8.8.8.8 and google.com). I have default access policy as accept all, threat prevention policy is disabled, Automatic NAT. Looking for help to resolve this issue. For http/https traffic log shows accept, check screenshots below, thanks in advance.

Re: No access to Internet

Timothy_Hall — Mon, 31 Aug 2020 00:43:12 GMT

If ping works but nothing else, it usually means other traffic is being denied by your APCL/URLF layer. Ping is not an application (and need only match a rule in the Network/Firewall policy layer) but practically everything else including DNS is. Click the Matched Rules tab on your log card.

Beyond that run fw ctl zdebug drop and try to pass some traffic. If you don't see a drop in that output it is a routing (or possibly NAT) issue of some kind.

Re: No access to Internet

Maarten_Sjouw — Sun, 30 Aug 2020 17:26:05 GMT

Or a little bit more important they cannot do DNS... try to ping www.google.com and see if it resolves.

Re: No access to Internet

buridango — Sun, 30 Aug 2020 18:58:03 GMT

Thanks for Reply, Timothy

I issued command fw ctl zdebug drop and there drops fom one address subnet I don't have:

;[cpu_3];[fw4_0];fw_log_drop_ex: Packet proto=6 178.34.109.191:10400 -> 173.194.73.95:443 dropped by cphwd_offload_connkey Reason: VPN and/or NAT traffic between accelerated and non-accelerated interfaces or between non-accelerated interfaces is not allowed;
;[cpu_3];[fw4_0];fw_log_drop_ex: Packet proto=6 178.34.109.191:10401 -> 108.177.14.101:443 dropped by cphwd_offload_connkey Reason: VPN and/or NAT traffic between accelerated and non-accelerated interfaces or between non-accelerated interfaces is not allowed;
;[cpu_3];[fw4_0];fw_log_drop_ex: Packet proto=6 178.34.109.191:10399 -> 162.159.129.233:443 dropped by cphwd_offload_connkey Reason: VPN and/or NAT traffic between accelerated and non-accelerated interfaces or between non-accelerated interfaces is not allowed;
;[cpu_3];[fw4_0];fw_log_drop_ex: Packet proto=6 178.34.109.191:10400 -> 173.194.73.95:443 dropped by cphwd_offload_connkey Reason: VPN and/or NAT traffic between accelerated and non-accelerated interfaces or between non-accelerated interfaces is not allowed;
;[cpu_3];[fw4_0];fw_log_drop_ex: Packet proto=6 178.34.109.191:10402 -> 35.186.224.47:443 dropped by cphwd_offload_connkey Reason: VPN and/or NAT traffic between accelerated and non-accelerated interfaces or between non-accelerated interfaces is not allowed;
;[cpu_3];[fw4_0];fw_log_drop_ex: Packet proto=6 178.34.109.191:10396 -> 173.194.73.95:443 dropped by cphwd_offload_connkey Reason: VPN and/or NAT traffic between accelerated and non-accelerated interfaces or between non-accelerated interfaces is not allowed;
Defaulting all kernel debugging options

Here tab matched rules

Re: No access to Internet

buridango — Sun, 30 Aug 2020 18:58:48 GMT

Thanks for Reply.

As I mentioned earlier, icmp available by IP and DNS, so this is not a problem.

Re: No access to Internet

buridango — Sun, 30 Aug 2020 19:04:41 GMT

Okay, I found solution. I have PPPoE and Checkpoint has something called SecureXL wich is in conflict, I disabled and everything is working now.

Re: No access to Internet

PhoneBoy — Sun, 30 Aug 2020 21:31:12 GMT

In R80.20+, disabling SecureXL isn’t required.
More specifically, SecureXL will automatically not accelerate PPPoE interfaces without requiring you to disable SecureXL entirely.

Re: No access to Internet

_Val_ — Mon, 31 Aug 2020 06:37:08 GMT

In fact, you cannot completely disable SXL in R80.20+ anymore