- Products
- Learn
- Local User Groups
- Partners
- More
On-Premise SD-WAN Management
Register HereWhat's New in R82.10?
Watch Here AI Security Masters E8:
Claude Mythos: New Era in Cyber Security
CheckMates Go:
The Moment Before
I have a strange issue where the firewall does not match traffic to spefic rule and ultimately drops the traffic on the cleanup rule.
firewall cluster in HA using VRRP
The rule i expect it to match on is rule 67 whereas cleanup is rule 112 in this policy
The rule looks similar to;
Object_group_src -> Object_group_Dst on TCP/3389 permit and place into vpn community
within the object_group_src there are approx 14 different subnets. all subnets within this group have no issues except for the subnet 10.10.25.0/24, which for some reason bypasses the rule and goes straight to cleanup.
I have checked and quadruple checked the src, dst and service and all should match the rule as intended but the logs still show dropped against the cleanup rule.
I have done a packet capture and confirmed the traffic matches the rule, i have installed policy and database.
I have attempted to create a specific rule to match the traffic to no avail it still goes straight to cleanup.
now i am at a loss
The only things i can see that i can try now is failover the cluster to see if this is just a problem isolated to the single member and or disable secureXL to see if this is misbehaving with the traffic in someway.
any advice would be appreciated.
Using R80.10 if that matters.
It almost seems like your peer does not include the 192.168.34.0/24 in its encryption domain.
That is exactly it Vladimir. Putting the VPN community in the VPN column will not force traffic into the tunnel as interesting, only the VPN domains can do that. @Northy please provide the VPN domain configuration for your firewall and the object representing your VPN peer. If these are not correct it doesn't matter what your rulebase says which is why the rule is being skipped.
There any NATing going on for this tunnel?
I bet that this is a VPN issue.
Both Source (10.10.25.0/24) and Destination are in correct VPN encryption domains? Does VPN in the rule match correct VPN community ?
It almost seems like your peer does not include the 192.168.34.0/24 in its encryption domain.
That is exactly it Vladimir. Putting the VPN community in the VPN column will not force traffic into the tunnel as interesting, only the VPN domains can do that. @Northy please provide the VPN domain configuration for your firewall and the object representing your VPN peer. If these are not correct it doesn't matter what your rulebase says which is why the rule is being skipped.
Leaderboard
Epsum factorial non deposit quid pro quo hic escorol.
| User | Count |
|---|---|
| 70 | |
| 23 | |
| 7 | |
| 5 | |
| 5 | |
| 4 | |
| 4 | |
| 3 | |
| 3 | |
| 3 |
Tue 14 Jul 2026 @ 10:00 AM (PDT)
AI Security Masters E11: READY OR NOT: Securing the AI Enterprise 3/5 - AI Workforce SecurityThu 30 Jul 2026 @ 10:00 AM (PDT)
AI Security Masters E12: READY OR NOT: Securing the AI Enterprise 4/5 - AI GatewayThu 20 Aug 2026 @ 10:00 AM (PDT)
AI Security Masters E13: READY OR NOT: Securing the AI Ent 5/5 - AI Research & Threat LandscapeTue 14 Jul 2026 @ 10:00 AM (PDT)
AI Security Masters E11: READY OR NOT: Securing the AI Enterprise 3/5 - AI Workforce SecurityThu 30 Jul 2026 @ 10:00 AM (PDT)
AI Security Masters E12: READY OR NOT: Securing the AI Enterprise 4/5 - AI GatewayThu 20 Aug 2026 @ 10:00 AM (PDT)
AI Security Masters E13: READY OR NOT: Securing the AI Ent 5/5 - AI Research & Threat LandscapeAbout CheckMates
Learn Check Point
Advanced Learning
YOU DESERVE THE BEST SECURITY