topic Re: Excessive traffic between digicert IP's and checkpoint gateway in General Topics

Excessive traffic between digicert IP's and checkpoint gateway

Nandhu — Thu, 08 Oct 2020 21:07:56 GMT

We are working on an issue with one of our remote office. The site has two 5600 appliances in a cluster, the issue occurring is in regards to a sudden spike of traffic from the checkpoint gateway's external interface talking out to digicert over port 80. The return traffic tends to be excessive enough to cause the cisco edge switch to start dropping packets. This causes the sslvpn to go down causing disconnections for the remote workforce out there.

Not really sure why the gateway would be receiving so much traffic from digicert. Anyone seen this behavior before?

Re: Excessive traffic between digicert IP's and checkpoint gateway

PhoneBoy — Thu, 08 Oct 2020 22:58:03 GMT

If you have HTTPS Inspection enabled and/or the gateway is R80.40, I suspect it’s because we are validating certificates in flight.
That is done out-of-band.

Re: Excessive traffic between digicert IP's and checkpoint gateway

Nandhu — Thu, 08 Oct 2020 23:01:09 GMT

Hello Dameon,

No https inspection and running 80.10. It looks like the IP resolves to ocsp.digicert.com

So i am guessing this is something going wrong with ocsp every few hours. The issue lasts for about 5 to 10 minutes before going away. It seems to happen approximately every 4 hours but sometimes misses the 4 hour mark.

Regards,

Nandhu

Re: Excessive traffic between digicert IP's and checkpoint gateway

PhoneBoy — Fri, 09 Oct 2020 02:35:34 GMT

That’s definitely CRL validation.
I recommend a TAC case to assist in investigation.

Re: Excessive traffic between digicert IP's and checkpoint gateway

Wolfgang — Fri, 09 Oct 2020 11:12:36 GMT

Are you sure traffic source is your gateway, not something behind from the internal network which will be NATed?

Maybee some suspicious clients they do excessive CRL validations.

Wolfgang

Re: Excessive traffic between digicert IP's and checkpoint gateway

Nandhu — Fri, 09 Oct 2020 11:23:24 GMT

Hello Dameon and Wolfgang,

We are looking at some of the automation scripts that the QA teams use. But the timing of their requests and traffic on the firewall does not match up.

We do have a TAC case open and I am in the process of collecting debugs.

Nandhu

Re: Excessive traffic between digicert IP's and checkpoint gateway

krit — Tue, 05 Jan 2021 13:18:35 GMT

Dear Nandhu,

How did it go with this case? We face something similar here, yet it seems that the connection is initiated by the firewall itself and not something internal and NATted to it, because of the curl_cli that is related.

[Expert@fw1:0]# lsof -n -i :80

COMMAND PID USER FD TYPE DEVICE SIZE NODE NAME

curl_cli 2343 admin 10u IPv4 33694501 TCP <fwIP>:47426->93.184.220.29:http (ESTABLISHED) ( ---> ocsp.digicert.com )

Any updates regarding this?

Thank you.

Best Regards,

Re: Excessive traffic between digicert IP's and checkpoint gateway

Nandhu — Tue, 05 Jan 2021 13:48:36 GMT

Good Morning,

We pulled digicert certs from the firewall, followed by a jumbo and reboot. Seems to have cleared out the issue on our end. We added back the cert for one of our sslvpn firewalls and are not seeing the behavior anymore.

The problem now is that we do not know which of the 3 things we did solved the issue. I wish I could have been more helpful.

Regards,

Nandhu