topic Re: HI All,Any one can guide ? in General Topics

HI All,Any one can guide ?

Shivajith_S — Fri, 27 Jul 2018 15:01:49 GMT

[Expert@CTSG3Firewall]# tcpdump -nni any host 172.20.106.234
tcpdump: WARNING: any: That device doesn't support promiscuous mode
(Promiscuous mode not supported on the "any" device)
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on any, link-type LINUX_SLL (Linux cooked), capture size 262144 bytes
19:17:40.710318 IP 10.25.153.3.49522 > 172.20.106.234.443: Flags [S], seq 2707150385, win 8192, options [mss 1460,nop,wscale 8,nop,nop,sackOK], length 0
19:17:43.716807 IP 10.25.153.3.49522 > 172.20.106.234.443: Flags [S], seq 2707150385, win 8192, options [mss 1460,nop,wscale 8,nop,nop,sackOK], length 0
19:17:49.722827 IP 10.25.153.3.49522 > 172.20.106.234.443: Flags [S], seq 2707150385, win 8192, options [mss 1460,nop,nop,sackOK], length 0
19:18:00.721660 IP 10.25.153.3.49523 > 172.20.106.234.443: Flags [S], seq 2812651852, win 8192, options [mss 1460,nop,wscale 8,nop,nop,sackOK], length 0
19:18:03.731702 IP 10.25.153.3.49523 > 172.20.106.234.443: Flags [S], seq 2812651852, win 8192, options [mss 1460,nop,wscale 8,nop,nop,sackOK], length 0
19:18:09.737746 IP 10.25.153.3.49523 > 172.20.106.234.443: Flags

Not receiving return traffic ,while bypass firewall able connect VPN client ,through firewall can not see return traffic ..

using firewall model Checkpoint 750 small Business.

Any one can guide on further troubleshooting ideas....

Re: HI All,Any one can guide ?

Vladimir — Fri, 27 Jul 2018 15:17:17 GMT

Please be more specific:

What kind of VPN? IPSec or SSL?

VPN from where to where?

When you are bypassing firewall, are you unloading the policy or are physically bypassing it?

If second, what IP is assigned to the client and by which device?

Describe the topology of your setup.

Re: HI All,Any one can guide ?

Kim_Moberg — Fri, 27 Jul 2018 16:27:36 GMT

Does this rely to r80.10? Might be a bug

https://community.checkpoint.com/thread/7267-tcpdump-r8010

Thanks

Kim

Re: HI All,Any one can guide ?

Vladimir — Fri, 27 Jul 2018 17:40:06 GMT

I do not think 750 appliance are capable of running R80.10.

My money is on simple configuration error.

Re: HI All,Any one can guide ?

Shivajith_S — Sat, 28 Jul 2018 05:05:29 GMT

HI Vladimir ,

please find the topology..

The Arrows segregating both network (2 different networks) .There is no internet connection,2 separate lease lines With Different brand FW VPN client able to connect , same implementation done with Checkpoint firewall instead of WAN int in fig 1 ,using LAN 5 as show in fig 5.

All required rules allowed(selected strict option) ,able to ping until ISP interfaces ,icmp not allowed dst ip ,while try to establish VPN connection can see out going traffic for ex: PC A to dst ip 172.20.106.234 as per logs which in shared to before .

same issue for both networks

Not able to find where the incoming traffic dropping ...SSL VPN client not connecting its showing not responded .

Firewall is Checkpoint 750 small business firewall ,R77.20.

kindly share if got any idea ....

Re: HI All,Any one can guide ?

Vladimir — Sat, 28 Jul 2018 13:04:40 GMT

"Strict" policy explicitly prohibits all internal networks from talking to each other, so we'll have to dig a bit to figure out what is going on.

the IP you are showing is the RFC1918 address, so you are not going over connections to ISPs, but private lines that should be connected to other internal interfaces.

To verify, please include screenshots of:

Your routing settings:

Your configuration for ISP redundancy and NAT for the gateway, i.e.:

SSL Inspection Policy and Inspections:

And Firewall NAT policy settings (same screenshot as depicted here) and NAT Rules (3):

If the settings in the above section (2) are set to "On", turn it off, apply settings and try again.

Change Access Control Policy from "Strict" to "Standard" and attempt to establish SSL VPN.

For troubleshooting, use "fw monitor" command (please lookup sk describing its usage). The iIoO depicting traversal of the firewall's interfaces.

[Expert@drawbridge]# fw monitor -e "src=172.20.106.234 or dst=72.30.35.10 ,accept;"
fw: getting filter (from command line)
fw: compiling
monitorfilter:
Compiled OK.
fw: loading
fw: monitoring (control-C to stop)
[vs_0][fw_0] LAN1:i[60]: 192.168.7.148 -> 72.30.35.10 (ICMP) len=60 id=13357
ICMP: type=8 code=0 echo request id=1 seq=3195
[vs_0][fw_0] LAN1:I[60]: 192.168.7.148 -> 72.30.35.10 (ICMP) len=60 id=13357
ICMP: type=8 code=0 echo request id=1 seq=3195
[vs_0][fw_0] WAN:o[60]: 192.168.7.148 -> 72.30.35.10 (ICMP) len=60 id=13357
ICMP: type=8 code=0 echo request id=1 seq=3195
[vs_0][fw_0] WAN:O[60]: aaa.aaa.aaa.aaa -> 72.30.35.10 (ICMP) len=60 id=13357
ICMP: type=8 code=0 echo request id=12540 seq=3195
[vs_0][fw_0] LAN1:i[60]: 192.168.7.148 -> 72.30.35.10 (ICMP) len=60 id=13358
ICMP: type=8 code=0 echo request id=1 seq=3196
[vs_0][fw_0] LAN1:I[60]: 192.168.7.148 -> 72.30.35.10 (ICMP) len=60 id=13358
ICMP: type=8 code=0 echo request id=1 seq=3196
[vs_0][fw_0] WAN:o[60]: 192.168.7.148 -> 72.30.35.10 (ICMP) len=60 id=13358
ICMP: type=8 code=0 echo request id=1 seq=3196
[vs_0][fw_0] WAN:O[60]: aaa.aaa.aaa.aaa -> 72.30.35.10 (ICMP) len=60 id=13358
ICMP: type=8 code=0 echo request id=12540 seq=3196
[vs_0][fw_0] LAN1:i[60]: 192.168.7.148 -> 72.30.35.10 (ICMP) len=60 id=13359
ICMP: type=8 code=0 echo request id=1 seq=3197
[vs_0][fw_0] LAN1:I[60]: 192.168.7.148 -> 72.30.35.10 (ICMP) len=60 id=13359
ICMP: type=8 code=0 echo request id=1 seq=3197
[vs_0][fw_0] WAN:o[60]: 192.168.7.148 -> 72.30.35.10 (ICMP) len=60 id=13359
ICMP: type=8 code=0 echo request id=1 seq=3197
[vs_0][fw_0] WAN:O[60]: aaa.aaa.aaa.aaa -> 72.30.35.10 (ICMP) len=60 id=13359
ICMP: type=8 code=0 echo request id=12540 seq=3197
[vs_0][fw_0] LAN1:i[60]: 192.168.7.148 -> 72.30.35.10 (ICMP) len=60 id=13360
ICMP: type=8 code=0 echo request id=1 seq=3198
[vs_0][fw_0] LAN1:I[60]: 192.168.7.148 -> 72.30.35.10 (ICMP) len=60 id=13360
ICMP: type=8 code=0 echo request id=1 seq=3198
[vs_0][fw_0] WAN:o[60]: 192.168.7.148 -> 72.30.35.10 (ICMP) len=60 id=13360
ICMP: type=8 code=0 echo request id=1 seq=3198
[vs_0][fw_0] WAN:O[60]: aaa.aaa.aaa.aaa -> 72.30.35.10 (ICMP) len=60 id=13360
ICMP: type=8 code=0 echo request id=12540 seq=3198

If changing the policy from "Strict" to "Standard" worked, look closer at the rules you've created while using "Strict" policy.

Re: HI All,Any one can guide ?

Shivajith_S — Sat, 28 Jul 2018 15:04:21 GMT

In this scenario there is no ISP redundancy , here PC A,PC B should communicate respective dst as show in figure with arrows. ( as mention 1 and 2 in fig),here 1 and 2 are separated network .
that's why implemented with LAN 5 ( separated from LAN Switch ),DMZ instead using WAN int ( for example 1 as shown fig ) .
also tried with standard policy and with INT WAN (instead of LAN 5 ) for Network 1 able to ping to ISP 1 interface directly connected INTERFACE.Can not initiate VPN .
Until Firewall interface only under my control from LAN PC's .
Routing are directly connected ,
NAT is turned off as you mentioned .
The option which you mentioned SSL VPN inspection need to check with HTTPS categorization mode on my side weather how its working
With same setup will check with Standard Policy .

Thanks for your valuable replies ..

Re: HI All,Any one can guide ?

Normen_Sam-Sin3 — Sat, 28 Jul 2018 19:23:43 GMT

Nah, those 700 SMB GW’a are running on Gaia embedded R77.20.x and not (yet) on R80.

Re: HI All,Any one can guide ?

Kim_Moberg — Sun, 29 Jul 2018 06:38:08 GMT

I just saw you were using tcpdump with parametre -Penni and it also generated an error. This Tim Hall found as a bug. I dont know if this could be the issue.

I would have removed the parametre to first see if traffic flows as expected.

I think Vladimir Yakovlev got a point about a misconfiguration.

Thanks

Kim

Re: HI All,Any one can guide ?

Shivajith_S — Mon, 30 Jul 2018 16:23:40 GMT

Hi All , Thanks for giving valuable info ,Special thanks to Vladimir ..

The issue got resolved its because of anti spoofing dropping.And modified routing and policy configuration .Now it working with Strict mode.In Cli globally disable the anti spoofing.