topic Re: Some traffic is being prevented but it looks like it's getting through on logs in General Topics

Some traffic is being prevented but it looks like it's getting through on logs

rmothers — Wed, 16 Dec 2020 08:50:00 GMT

I have a deployment of 2 x 5400 Checkpoint Appliances in HA pair running R80.40 and no separate management server (yet). I have just deployed these firewalls to replace a pair of 4400 appliances which are end of life and would not upgrade.

I'm seeing some rather strange behaviour with certain traffic across these firewalls. I have attached an overview of the network topology. Each LAN (1-7) is connected to a VLAN interface which is set as a cluster, the topology is set as 'This Network (Internal) with specific subnets that reside within and beyond the individual LANs (LAN 1 for example has itself and a second class C network) identified as a network group; the security zone is set to 'user defined' and anti spoofing is set Prevent and Log. The CONFIG LAN interface is a cluster, its topology is external and set to lead to Internet (although it doesn't go to the internet itself it routes through to Corporate via another set of firewalls), the security zone is user defined and topology is set to detect and log.

In the LAN identified as CONFIG LAN I have an Active Directory (AD) with 2 way trusts down to each AD in the individual LANs. When I route the traffic between the CONFIG LAN and any of the other individual LANs through these Checkpoints the trusts can no longer validate and DNS cannot resolve a ping to any of the individual LANs. The logs do show the DNS request passing across the Checkpoints. However, this trust was established and working on the recently decommissioned firewalls. An IP to IP ping works without issue as does tracert. I have one or two other applications which exhibit the same behaviour (LAN 5 to LAN 7 on TCP port 8100 - can see it in the logs but the devices at each end aren't able to communicate).

As part of the swap out I implemented some temporary firewalls to route the Information LAN traffic away from the Checkpoints so there was no interruption to that particular traffic flow. I am able to route the AD Trust traffic across the temporary firewall setup with no issue. However, there is no redundancy or resiliency within that temporary setup and the devices have very poor logging facility.

I replicated the set up on the 4400s to the 5400s with a bit of rule tidying (obsolete rules removed and objects grouped appropriately) see screen capture attached - I'm just looking for places to start to investigate really so any suggestions will be welcome. Waiting for support provider to get back to me as well.

I have tried opening the rules wide open to allow the CONFIG LAN domain controllers and the LAN domain controllers to use any service and application but to no effect.

Thanks in advance

Bob

Re: Some traffic is being prevented but it looks like it's getting through on logs

_Val_ — Wed, 16 Dec 2020 09:05:07 GMT

Any drop logs/debugs for this traffic?

Re: Some traffic is being prevented but it looks like it's getting through on logs

rmothers — Wed, 16 Dec 2020 09:07:38 GMT

Hi Val

That's one of the issues there is no dropped traffic showing - I'll post some logs up in a bit - I'll have to reroute some traffic to accommodate

Bob

Re: Some traffic is being prevented but it looks like it's getting through on logs

rmothers — Wed, 16 Dec 2020 10:16:09 GMT

Updated topology attached (forgot connections to LANs 5 & 6)

Re: Some traffic is being prevented but it looks like it's getting through on logs

rmothers — Wed, 16 Dec 2020 10:25:26 GMT

Some further screenshots and log output

Re: Some traffic is being prevented but it looks like it's getting through on logs

_Val_ — Wed, 16 Dec 2020 10:44:33 GMT

I think you are missing the point. Did you run any trace and debugs on your security gateways to see what's going on? There are two possibilities:

1. Either packets are getting lost somewhere outside of your GW, or

2. They are being silently dropped by GW.

Traces with "fw monitor" and "fw ctl debug" with "drop" option should give you a direction where to looks

Re: Some traffic is being prevented but it looks like it's getting through on logs

rmothers — Wed, 16 Dec 2020 16:27:15 GMT

Issue is now resolved as support provider got in touch and immediately suggested applying Jumbo Hotfix (Take 89) as they were still on base build. I hadn't realised the build I'd used did not have the relevant hotfix bundled with it. Took a while to get them there but now the traffic is flowing as expected. If you made it this far thanks for reading.