topic Re: can't ping gateway firewall even i install policy any to any in Off Topic

can't ping gateway firewall even i install policy any to any

ilirz — Wed, 05 Apr 2023 05:46:46 GMT

I lost communication with a gateway checkpoint open server R 77.30 after installed a simple policy where i allowed a service.

I can not ping even from the Lan network the to Lan interfaces.

Has anyone faced this problem ?

After that i did fw unloadlocal command to the gateway ,at this moment I ping from the Lan of the branch the gateway of checkpoint at branch but not pass traffic to the center.

the route and all thing are ok. just gateway firewall not let traffic to pass from the LAN.

license of this gateway firewall has more than 10 years but is never expire does it have to do with the license?

Re: can't ping gateway firewall even i install policy any to any

Chris_Atkinson — Wed, 05 Apr 2023 07:15:49 GMT

Are you attempting to ping from a directly connected subnet or elsewhere, was the gateway rebooted?

The "fw unloadlocal" command prevents all traffic from passing through the Security Gateway (Cluster Member), because it disables the IP Forwarding in the Linux kernel on the Security Gateway (Cluster Member).

Note: R77.30 is no longer supported please refer:

https://www.checkpoint.com/support-services/support-life-cycle-policy/#software-support

Re: can't ping gateway firewall even i install policy any to any

ilirz — Wed, 05 Apr 2023 07:16:17 GMT

Thanks Chris, i ping frpm the lan network directly connected with checkpoint gateway.

I rebooted also but the same problem.

I have facing the same problem with 3 other gateway open server R 77.30 .

After policy install they not let traffic to pass and no logs for traffic.

Re: can't ping gateway firewall even i install policy any to any

Timothy_Hall — Wed, 05 Apr 2023 15:56:17 GMT

You have an antispoofing problem, correct your interface and topology settings on your gateway object(s), run fw unloadlocal on the gateways then reinstall policy to them.

Re: can't ping gateway firewall even i install policy any to any

ilirz — Thu, 06 Apr 2023 11:42:48 GMT

Hi Timothy

I have faced the same problem with 3 checkpoint gateway open server R77.30.

At the moment that i installed new policy the communication with gateway lost and even from local lan direct connected can not ping local checkpoint gateway.

Does it have to do with the license or the version r 77.30 because those security gateway have been licensed since 2012 and license say never.

I can not find the reason why it happen in a short time with three gateway after policy install both of them are R 77.30 and licensed since 2012 only FW, VPN, IA?

Re: can't ping gateway firewall even i install policy any to any

Timothy_Hall — Thu, 06 Apr 2023 11:53:26 GMT

It is not your license, it is your topology definitions. After installing policy to your gateway and things aren't working, run these commands:

fw ctl set int fw_antispoofing_enabled 0

sim feature anti_spoofing off; fwaccel off; fwaccel on

Do things work now? It is your topology definitions that have a problem, your issue has nothing to do with your license.

Re: can't ping gateway firewall even i install policy any to any

the_rock — Thu, 06 Apr 2023 11:58:38 GMT

Just do basic zdebug command on the fw when you have this issue...yea, R77.30 is not supported since few years back, but this has zero to do with the version : - ). Anyway, say if you are coming from 10.50.10.50 pinging the fw, when it fails, just ssh to the box and run below from expert mode:

fw ctl zdebug + drop | grep 10.50.10.50

the observe the drops, it would show you the behavior

You can also do following -> fw monitor -e "accept host(10.50.10.50) and icmp;"

Hope those help.

Andy

Re: can't ping gateway firewall even i install policy any to any

Chris_Atkinson — Thu, 06 Apr 2023 12:10:40 GMT

Whilst I agree with @Timothy_Hall

Can you also confirm the JHF/Jumbo used with these gateways and do they use proxy-arp?