This website uses Cookies. Click Accept to agree to our website's cookie use as described in our Privacy Policy. Click Preferences to customize your cookie settings.
Accept
Reject
Preferences
ABOUT CHECKMATES CYBER SECURITY COMMUNITY & FAQ
Create a Post
Help
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

Are you a member of CheckMates?

×
Sign in with your Check Point UserCenter/PartnerMap account to access more great content and get a chance to win some Apple AirPods! If you don't have an account, create one now for free!
Ramasubramaniya
Participant
‎2021-10-20 10:22 AM

CCP drop packets in R81

Hi Team,

We are in a progress of migrating the Checkpoint hardware from 4400 to 6600.

Old hardware is running on R77.30 and new hardware is already upgraded to R81.

Old hardware running with VRRP Cluster

New hardware running with ClusterXL

Both hardware are connecting on same switch

But the new Firewall cluster is experiencing the below error message.

@;162960;[vs_0];[tid_3];[fw4_3];fw_log_drop_ex: Packet proto=17 0.0.0.0:8116 -> 10.0.0.0:8116 dropped by fw_send_log_drop Reason: Rulebase drop - on layer "Network" rule 781;
@;162960;[vs_0];[tid_0];[fw4_0];fw_log_drop_ex: Packet proto=17 0.0.0.0:8116 -> 10.0.0.0:8116 dropped by fw_send_log_drop Reason: Rulebase drop - on layer "Network" rule 781;
@;162960;[vs_0];[tid_1];[fw4_1];fw_log_drop_ex: Packet proto=17 0.0.0.0:8116 -> 10.0.0.0:8116 dropped by fw_send_log_drop Reason: Rulebase drop - on layer "Network" rule 781;
@;162960;[vs_0];[tid_2];[fw4_2];fw_log_drop_ex: Packet proto=17 0.0.0.0:8116 -> 10.0.0.0:8116 dropped by fw_send_log_drop Reason: Rulebase drop - on layer "Network" rule 781;
@;162961;[vs_0];[tid_3];[fw4_3];fw_log_drop_ex: Packet proto=17 0.0.0.0:8116 -> 10.0.0.0:8116 dropped by fw_send_log_drop Reason: Rulebase drop - on layer "Network" rule 781;
@;162961;[vs_0];[tid_0];[fw4_0];fw_log_drop_ex: Packet proto=17 0.0.0.0:8116 -> 10.0.0.0:8116 dropped by fw_send_log_drop Reason: Rulebase drop - on layer "Network" rule 781;
@;162961;[vs_0];[tid_1];[fw4_1];fw_log_drop_ex: Packet proto=17 0.0.0.0:8116 -> 10.0.0.0:8116 dropped by fw_send_log_drop Reason: Rulebase drop - on layer "Network" rule 781;
@;162961;[vs_0];[tid_2];[fw4_2];fw_log_drop_ex: Packet proto=17 0.0.0.0:8116 -> 10.0.0.0:8116 dropped by fw_send_log_drop Reason: Rulebase drop - on layer "Network" rule 781;

0 Kudos
12 Replies
the_rock
MVP Diamond
MVP Diamond
‎2021-10-20 11:26 AM

Is that implicit clean up rule number 781?

Best,
Andy
"Have a great day and if its not, change it"
0 Kudos
Ramasubramaniya
Participant
‎2021-10-20 10:14 PM
In response to the_rock

Yes it is a implicit deny rule 

the_rock
MVP Diamond
MVP Diamond
‎2021-10-21 05:00 AM
In response to Ramasubramaniya

You may wish to engage TAC, because to me, if you think about it logically, since I am pretty sure your rule base had not changed, there is no reason why this would be happening. I get its clusterXL instead of VRRP, but still. So based on the drop, it shows its UDP protocol and port 8116, which is clustering, so one thing I would try to do it maybe quickly just run zdebug only for port 8116 and also fw monitor for that specific port and see what you get.

Andy

Best,
Andy
"Have a great day and if its not, change it"
0 Kudos
HristoGrigorov
MVP Gold
MVP Gold
‎2021-10-20 10:40 PM

@Ramasubramaniya You don't happen to have implied rules disabled ?

Ramasubramaniya
Participant
‎2021-10-21 12:52 AM
In response to HristoGrigorov

You mean to Disable the implied rule?

We kept it to log the traffic getting denied on the firewall, and it's really important for troubleshooting

HristoGrigorov
MVP Gold
MVP Gold
‎2021-10-21 12:55 AM
In response to Ramasubramaniya

No, I was asking if Implied Rules are already disabled. If they are enabled leave them like that; problem is somewhere else.

Ramasubramaniya
Participant
‎2021-10-21 08:28 AM
In response to HristoGrigorov

Anyone please help on this topic

0 Kudos
the_rock
MVP Diamond
MVP Diamond
‎2021-10-21 08:30 AM
In response to Ramasubramaniya

You may want to open support case, because this would need some more in depth troubleshooting, for sure.

Best,
Andy
"Have a great day and if its not, change it"
0 Kudos
Yair_Shahar
Employee
Employee
‎2021-10-31 02:46 AM
In response to Ramasubramaniya

Hi,

 

Did sk132672 help you to resolve this issue?

 

Yair

KostasGR
Advisor
‎2021-10-22 06:43 AM

Hello 

I think you are matching sk132672

BR,
Kostas

the_rock
MVP Diamond
MVP Diamond
‎2021-10-22 06:50 AM
In response to KostasGR

Very good point Kostas!

Best,
Andy
"Have a great day and if its not, change it"
0 Kudos
Ramasubramaniya
Participant
‎2021-10-31 05:48 PM
In response to the_rock

Hi Team,

 

Thanks a lot for the kind replies. I tried sk132672 but does not help in my case.

As i already said the switch is connected with Current R81 Cluster and the R77.30 VRRP Cluster.

I lately realized this packets are coming from VRRP cluster since the Cluster mode is Mutlicast in the R77.30 Cluster.

I confirmed this by capturing packet on the R77.30 cluster and found same 0.0.0.0:8116 -> 10.0.0.0:8116 packets are exchanging over there.

So it's good say it's our design issue. Once again thanks all for the recommendations, much appreciated.

 

Ram T S

0 Kudos

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

View All ≫
Upcoming Events

    Sort by:
    CheckMates Events