https://community.checkpoint.com/t5/Spark-Firewall-SMB/Ping-to-1530-GW-from-internal-net-dropped/m-p/99529#M4272 <P>My guess is it’s a bug of some sort.<BR />What does fw ctl zdebug drop say?</P> Tue, 20 Oct 2020 02:45:38 GMT PhoneBoy 2020-10-20T02:45:38Z https://community.checkpoint.com/t5/Spark-Firewall-SMB/Ping-to-1530-GW-from-internal-net-dropped/m-p/99483#M4267 <P><SPAN class="test-id__field-value slds-form-element__static slds-grow is-read-only" data-aura-rendered-by="40:34920;a"><SPAN class="uiOutputTextArea" data-aura-rendered-by="30:34920;a" data-aura-class="uiOutputTextArea">Customer has a 1530 SMB appliance in Strict policy mode. He uses a manual rule to enable ping to the GW from internal nets. In firmware R80.20.05 (992001134) this works as expected, but in R80.20.10 (992001491) (and maybe since R80.20.05 (992001208)), ping is dropped by the cleanup rule. <BR /></SPAN></SPAN></P> <P><SPAN class="test-id__field-value slds-form-element__static slds-grow is-read-only" data-aura-rendered-by="40:34920;a"><SPAN class="uiOutputTextArea" data-aura-rendered-by="30:34920;a" data-aura-class="uiOutputTextArea">Question now is with R&amp;D : Is this a Bug or just a new Design ?</SPAN></SPAN></P> Mon, 19 Oct 2020 10:40:05 GMT https://community.checkpoint.com/t5/Spark-Firewall-SMB/Ping-to-1530-GW-from-internal-net-dropped/m-p/99483#M4267 G_W_Albrecht 2020-10-19T10:40:05Z https://community.checkpoint.com/t5/Spark-Firewall-SMB/Ping-to-1530-GW-from-internal-net-dropped/m-p/99529#M4272 <P>My guess is it’s a bug of some sort.<BR />What does fw ctl zdebug drop say?</P> Tue, 20 Oct 2020 02:45:38 GMT https://community.checkpoint.com/t5/Spark-Firewall-SMB/Ping-to-1530-GW-from-internal-net-dropped/m-p/99529#M4272 PhoneBoy 2020-10-20T02:45:38Z https://community.checkpoint.com/t5/Spark-Firewall-SMB/Ping-to-1530-GW-from-internal-net-dropped/m-p/99548#M4273 <P>We did not need to ask fw ctl zdebug drop - according to the logs, ping is dropped by the cleanup rule. The rule not working is:</P> <P><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="ping.png" style="width: 999px;"><img src="https://community.checkpoint.com/t5/image/serverpage/image-id/8499i2B0C58439CC71948/image-size/large?v=v2&amp;px=999" role="button" title="ping.png" alt="ping.png" /></span></P> <P>If you substitute the GW object by the GW IP it will match...</P> Tue, 20 Oct 2020 07:47:22 GMT https://community.checkpoint.com/t5/Spark-Firewall-SMB/Ping-to-1530-GW-from-internal-net-dropped/m-p/99548#M4273 G_W_Albrecht 2020-10-20T07:47:22Z https://community.checkpoint.com/t5/Spark-Firewall-SMB/Ping-to-1530-GW-from-internal-net-dropped/m-p/99932#M4292 <P><FONT face="times new roman,times" size="4">No bug - R&amp;D answered:</FONT></P> <P><STRONG><FONT face="times new roman,times" size="4"><BR />Well, for now this is new design. Please use IP based rules for such scenarios.</FONT></STRONG></P> Fri, 23 Oct 2020 08:41:51 GMT https://community.checkpoint.com/t5/Spark-Firewall-SMB/Ping-to-1530-GW-from-internal-net-dropped/m-p/99932#M4292 G_W_Albrecht 2020-10-23T08:41:51Z