This website uses Cookies. Click Accept to agree to our website's cookie use as described in our Privacy Policy. Click Preferences to customize your cookie settings.
Accept
Reject
Preferences
ABOUT CHECKMATES CYBER SECURITY COMMUNITY & FAQ
Create a Post
Help
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

Are you a member of CheckMates?

×
Sign in with your Check Point UserCenter/PartnerMap account to access more great content and get a chance to win some Apple AirPods! If you don't have an account, create one now for free!
A_KOUADIO
Contributor
‎2023-01-27 03:35 AM

The packets from a source to a destination in one path and takes a different path when it returns

When i initiate a trafic is drop or match another rule, so i need to create another rule for the return trafic.

explain.png

 See the screenshot

Labels
0 Kudos
17 Replies
Chris_Atkinson
MVP Platinum CHKP MVP Platinum CHKP
MVP Platinum CHKP
‎2023-01-27 08:31 PM

Have you confirmed the routing is correct end-to-end and that anti-spoofing is set correctly?

Is there any NAT involved and could you please share a better/clearer screenshot?

CCSM R77/R80/ELITE
0 Kudos
A_KOUADIO
Contributor
‎2023-01-28 03:32 PM
In response to Chris_Atkinson

Routing is correct.

antispoofing is set correctly.

I will check the NAT.

Do you think that it is normal (correct) to have return trafic as new entry in log without nat the trafic ?

Preview file
59 KB
0 Kudos
Chris_Atkinson
MVP Platinum CHKP MVP Platinum CHKP
MVP Platinum CHKP
‎2023-01-28 04:10 PM
In response to A_KOUADIO

This screenshot appears different to the original, can you provide the more detailed log cards for both flows?

There is some suggestion here that's proxy is involved, are only some ports/redirected to the proxy and others NAT different?

CCSM R77/R80/ELITE
0 Kudos
A_KOUADIO
Contributor
‎2023-01-30 04:29 AM
In response to Chris_Atkinson

I didn't understand your message but the client has a proxy in his intranet.

0 Kudos
the_rock
MVP Diamond
MVP Diamond
‎2023-01-28 09:10 AM

I would agree totally with what Chris said. 99% of the time, its either NAT, routing or anti-spoofing (or combination of all of them).

Best,
Andy
"Have a great day and if its not, change it"
0 Kudos
A_KOUADIO
Contributor
‎2023-01-29 12:51 AM
In response to the_rock

Ok I will check the cpinfo file today to verify?

0 Kudos
G_W_Albrecht
MVP Silver
MVP Silver
‎2023-01-29 02:18 AM
In response to A_KOUADIO

What will you check how in cpinfo ?

CCSP - CCSE / CCTE / CTPS / CCME / CCSM Elite / SMB Specialist
0 Kudos
A_KOUADIO
Contributor
‎2023-01-30 12:41 AM
In response to G_W_Albrecht

As i said, I am currently looking for the cause of the asymmetric routing

 

0 Kudos
G_W_Albrecht
MVP Silver
MVP Silver
‎2023-01-30 01:01 AM
In response to A_KOUADIO

But how to accomplish this in cpinfo ? Never heard of routing issues resolved by cpinfo analysis...

CCSP - CCSE / CCTE / CTPS / CCME / CCSM Elite / SMB Specialist
A_KOUADIO
Contributor
‎2023-01-30 01:11 AM
In response to G_W_Albrecht

I don't have access to the appliance, so i will analyze on my side the cpinfo file and after that i will contact the customer to have clear understanding of the issues.

0 Kudos
_Val_
Admin
Admin
‎2023-01-30 01:30 AM
In response to A_KOUADIO

I do not think you will find all answers in the CPInfo. In most cases, asymmetric routing is caused by external factors. 

0 Kudos
G_W_Albrecht
MVP Silver
MVP Silver
‎2023-01-30 03:53 AM
In response to A_KOUADIO

Great - which tool are you using ? Or do you search in the cpinfo text ?

CCSP - CCSE / CCTE / CTPS / CCME / CCSM Elite / SMB Specialist
0 Kudos
A_KOUADIO
Contributor
‎2023-01-30 04:21 AM
In response to G_W_Albrecht

CheckPoint Diagnostics View

0 Kudos
the_rock
MVP Diamond
MVP Diamond
‎2023-01-30 05:18 AM
In response to A_KOUADIO

Hey @A_KOUADIO ,

I think what @_Val_ and @G_W_Albrecht are saying is that its very unlikely you would find an answer as to why assymetric routing happens from cpinfo file review, as thats simply the config file from the firewall. Here is what I would run and examine carefully the output. So, just as an example, say the source is 10.10.10.10 and dst is 20.20.20.20, try commands like below:

fw monitor -e "accept host(10.10.10.10) and dst(20.20.20.20);"

fw monitor -e "accept host(20.20.20.20) and dst(10.10.10.10);"

fw minitor -e "accept host(10.10.10.10) or dst(20.20.20.20);"

Alternatively, you can also use below command. Idea is to filter for src IP, src port, dst IP, dst IP, protocol

fw monitor -F "10.10.10.10,0,20.20.20.20,0,0" -F "20.20.20.20,0,10.10.10.10,0,0"

I can also suggest a website my colleague made ages ago to help people with captures on different platforms (its very useful)

https://tcpdump101.com/#

Hope all this helps you.

Cheers,

Andy

Best,
Andy
"Have a great day and if its not, change it"
G_W_Albrecht
MVP Silver
MVP Silver
‎2023-01-29 12:04 AM

Dropped by Access Rule Number 1225 ???

CCSP - CCSE / CCTE / CTPS / CCME / CCSM Elite / SMB Specialist
0 Kudos
A_KOUADIO
Contributor
‎2023-01-29 12:49 AM
In response to G_W_Albrecht

Because the source port match another rule.

As I said previously, the return traffic is dissociated from the going trafic so it match another rule or drop by the cleanup rule.

0 Kudos
G_W_Albrecht
MVP Silver
MVP Silver
‎2023-01-29 02:17 AM
In response to A_KOUADIO

I would not use 1225 rules - but that should not cause asymmetrical routing afaik...

CCSP - CCSE / CCTE / CTPS / CCME / CCSM Elite / SMB Specialist
0 Kudos

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

View All ≫
Upcoming Events

    Sort by:
    CheckMates Events