Create a Post
cancel
Showing results for 
Search instead for 
Did you mean: 
Tony_Graham
Advisor

Endpoint blocked by Firewall

Any ideas why CP Endpoint would be blocked by the CP Firewall from contacting the update server?

I have 1 system in my environment that is getting stuffed.

The service port is 443, the destination is 209.87.211.157.

Whois reports this is ZoneAlarm.

Sometimes it bangs on range 66.110.49.114-116 which is Kaspersky.

Other times I see 3.5.8.156 which is AWS (no telling which service).

There is no SSL inspection going on and 443 outbound is allowed for the user

so it's a definite oddity.

0 Kudos
7 Replies
PhoneBoy
Admin
Admin

Make sure you’re allowing connectivity per: https://supportcenter.checkpoint.com/supportcenter/portal?eventSubmit_doGoviewsolutiondetails=&solut...
The “Check Point Services” Updatable Object includes the stuff listed here.

Tony_Graham
Advisor

I will look into that but why would this affect only 1 user?

0 Kudos
the_rock
Legend
Legend

If its only one user, then does not really sound like its fw issue, but just my logical assumption. Do you have any relevant logs from the dashboard you can attach?

Andy

0 Kudos
the_rock
Legend
Legend

Had to actually verify that sk once with customer what @PhoneBoy gave, so definitely good starting point.

0 Kudos
Tony_Graham
Advisor

I kind of digested all the relevant details in the first post. That's all that's available to me in dashboard.

Although it looks like it's a bunch of 'First packet isn't SYN'. Again it only occurs with this one user.

0 Kudos
the_rock
Legend
Legend

That message needs some captures, for sure. Do fw monitor and tcpdump to see path it takes.

0 Kudos
Tony_Graham
Advisor

I am starting to suspect it has something to do with VMware and its NAT connection.

I am going to switch that machine over to Bridged tonight and monitor it some more.

**UPDATE** The problem was with VMware. I deleted the virtual adapter and re-added it, switched to Bridged mode and the problem has gone away. As a note VMware Workstation virtual network adapters do not always upgrade correctly when there is a version change or if you ported it around. You can often find 'cruft' in the vmx files from past versions. My process is to remove the current adapter in VMware. Shut down Workstation, find the .vmx file of the VM you have issues with. Make a copy of it, then I go into the original and search on 'eth', and blast all the entries that match on 'eth' except the one related to the PCI slot number and the MAC address. Save the file, relaunch VMware Workstation, add in a new adapter for the VM and then boot it. You have to take care of any IP things inside of the VM but it will sort out any crazy Ethernet weirdness.

0 Kudos

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

Upcoming Events

    CheckMates Events