This website uses Cookies. Click Accept to agree to our website's cookie use as described in our Privacy Policy. Click Preferences to customize your cookie settings.
Accept
Reject
Preferences
ABOUT CHECKMATES CYBER SECURITY COMMUNITY & FAQ
Create a Post
Help
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

Are you a member of CheckMates?

×
Sign in with your Check Point UserCenter/PartnerMap account to access more great content and get a chance to win some Apple AirPods! If you don't have an account, create one now for free!
Bob_Zimmerman
Authority
Authority
Thursday

Deleting an Interface Alias

I hit a "fun" issue today. Already reported it to the TAC, but thought I'd share. I added an alias to an interface to help capture some traffic. When I tried to delete the alias, it instead deleted the main IP from the interface. I saw it on R81.20 jumbo 41 in production and reproduced it here on an R81.10 jumbo 150 lab firewall:

[Expert@TestFW]# ip addr show | grep eth2
3: eth2: <NO-CARRIER,BROADCAST,MULTICAST,ALLMULTI,UP> mtu 1500 qdisc pfifo_fast state DOWN qlen 1000

[Expert@TestFW]# clish

TestFW> set interface eth2 ipv4-address 10.20.30.40 mask-length 24

TestFW> add interface eth2 alias 172.16.32.64/32

TestFW> save config

TestFW> exit

[Expert@TestFW]# clish -c "show configuration" | grep eth2
set interface eth2 state on 
set interface eth2 auto-negotiation on 
set interface eth2 ipv4-address 10.20.30.40 mask-length 24 
add interface eth2 alias 172.16.32.64/32 

[Expert@TestFW]# ip addr show | grep eth2
3: eth2: <NO-CARRIER,BROADCAST,MULTICAST,ALLMULTI,UP> mtu 1500 qdisc pfifo_fast state DOWN qlen 1000
    inet 10.20.30.40/24 brd 10.20.30.255 scope global eth2
    inet 172.16.32.64/32 brd 172.16.32.64 scope global eth2:1

[Expert@TestFW]# clish

TestFW> delete interface eth2 alias 172.16.32.64/32

TestFW> save config

TestFW> exit

[Expert@TestFW]# ip addr show | grep eth2
3: eth2: <NO-CARRIER,BROADCAST,MULTICAST,ALLMULTI,UP> mtu 1500 qdisc pfifo_fast state DOWN qlen 1000
    inet 172.16.32.64/32 brd 172.16.32.64 scope global eth2:1

[Expert@TestFW]# clish -c "show configuration" | grep eth2
set interface eth2 state on
set interface eth2 auto-negotiation on
add interface eth2 alias 172.16.32.64/32

I've tried it with numbers which don't correspond to an address on any interface, and letters which don't correspond to an interface name. Always the same result. It looks like "delete interface <name> alias <almost anything>" just gets translated to "delete interface <name> ipv4-address". This makes dealing with aliases wildly dangerous.

0 Kudos
13 Replies
PhoneBoy
Admin
Admin
Friday

That definitely sounds like a bug.

Curious why you used an interface alias here to “help capture some traffic.”
Maybe a manual proxy arp would have had worked instead?

0 Kudos
Bob_Zimmerman
Authority
Authority
Friday
In response to PhoneBoy

Somebody reported a problem connecting to some website. In packet captures, no public address associated with this site was ever tried, but a connection was attempted to an internal address which doesn't exist in the environment. Nobody on the application team knew what that was, so I had to find a way to get the request the client was trying to make of the non-existent thing.

Enter an alias IP and netcat. That allows the firewall to respond with the SYN-ACK to get the client's actual request (HTTP GET, TLS Client Hello with SNI, etc.), to point more concretely to what could be causing the connection.

0 Kudos
the_rock
Legend
Legend
Friday

I just tested it in the lab, R81.10. R81.20, R82, different interfaces, worked just fine, I could delete it from web UI, clish, no problems at all.

Andy

0 Kudos
Bob_Zimmerman
Authority
Authority
Friday
In response to the_rock

You can delete the alias when you specify eth2:1 or whatever, but if you specify any other value at all, it deletes the primary IP instead.

0 Kudos
the_rock
Legend
Legend
Friday
In response to Bob_Zimmerman

Im not following, sorry...can you clarify please?

Andy

0 Kudos
Bob_Zimmerman
Authority
Authority
Friday
In response to the_rock

  1. Bring up an interface. Give it an IPv4 address. It doesn't need to actually be connected to anything.
  2. Add an alias to the interface.
  3. Save config, exit clish, check the interface IPs via ifconfig or 'ip addr show'.
  4. Go back into clish and run 'delete interface <name> alias thisAliasDoesNotExist'.
  5. Exit clish and check the interface IPs again.
0 Kudos
the_rock
Legend
Legend
Friday
In response to Bob_Zimmerman

will test it soon.

0 Kudos
the_rock
Legend
Legend
Friday
In response to Bob_Zimmerman

Since I cant add one more nic to vm now, can i test with new vlan?

0 Kudos
Bob_Zimmerman
Authority
Authority
Friday
In response to the_rock

Just tried it and yes, an alias on a subinterface shows the same behavior.

TestFW> add interface eth2 vlan 50
TestFW> set interface eth2.50 ipv4-address 10.20.30.40 mask-length 24
TestFW> add interface eth2.50 alias 192.168.144.120/32
TestFW> save config
TestFW> exit

[Expert@TestFW]# ip addr show | grep eth2.50
13: eth2.50@eth2: <NO-CARRIER,BROADCAST,MULTICAST,UP> mtu 1500 qdisc noqueue state LOWERLAYERDOWN qlen 1000
    inet 10.20.30.40/24 brd 10.20.30.255 scope global eth2.50
    inet 192.168.144.120/32 brd 192.168.144.120 scope global eth2.50:1

[Expert@TestFW]# clish
TestFW> delete interface eth2.50 alias thisAliasDoesNotExist
TestFW> exit

[Expert@TestFW]# ip addr show | grep eth2.50
13: eth2.50@eth2: <NO-CARRIER,BROADCAST,MULTICAST,UP> mtu 1500 qdisc noqueue state LOWERLAYERDOWN qlen 1000
    inet 192.168.144.120/32 brd 192.168.144.120 scope global eth2.50:1

 

0 Kudos
the_rock
Legend
Legend
Friday
In response to Bob_Zimmerman

Seems okay to me?

Andy

 

Using username "admin".
admin@172.16.10.249's password:
Send automatic password
Access denied
admin@172.16.10.249's password:
Last login: Thu Aug 15 14:21:03 2024
[Expert@CP-GW:0]#
[Expert@CP-GW:0]# clish
CP-GW> show interface

eth0 eth1 eth2 lo
CP-GW> sh interface eth2
CLINFR0329 Invalid command:'sh interface eth2'.
CP-GW> sh interface eth2
CLINFR0329 Invalid command:'sh interface eth2 '.
CP-GW> show interface eth2
state on
mac-addr 50:01:00:07:00:02
type ethernet
link-state link up
mtu 1500
auto-negotiation off
speed 1000M
ipv6-autoconfig Not configured
monitor-mode off
duplex full
link-speed 1000M/full
comments
ipv4-address 192.168.10.249/24
ipv6-address Not Configured
ipv6-local-link-address Not Configured

Statistics:
TX bytes:0 packets:0 errors:0 dropped:0 overruns:0 carrier:0
RX bytes:38955375371 packets:93456625 errors:0 dropped:0 overruns:0 frame:0

SD-WAN: Not Configured
CP-GW>
CP-GW> add interface eth2 vlan 77
CP-GW> set interface eth2.77 ipv4-a
CP-GW> set interface eth2.77 ipv4-address 11.12.13.14 mask-le
CP-GW> set interface eth2.77 ipv4-address 11.12.13.14 mask-length 24
CP-GW> add interface eth2.77 alias
CP-GW> add interface eth2.77 alias 44.45.46.47/32
CP-GW> save config
CP-GW> exit
[Expert@CP-GW:0]# ip addr show | grep eth2.77
7: eth2.77@eth2: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue state UP qlen 1000
inet 11.12.13.14/24 brd 11.12.13.255 scope global eth2.77
inet 44.45.46.47/32 brd 44.45.46.47 scope global eth2.77:1
[Expert@CP-GW:0]#
[Expert@CP-GW:0]# clish
CP-GW> delete interface

eth0 eth1 eth2
eth2.77 lo
CP-GW> delete interface eth2.77
6in4 - Delete 6in4
alias - interface Interface
ipv4-address - Interface IP address
ipv6-address - Interface IPv6 address
loopback - delete loopback interface
sdwan - Deletes the SD-WAN configuration of the interface
vlan - Delete VLAN
CP-GW> delete interface eth2.77 alias
CP-GW> delete interface eth2.77 alias eth2.77:1
CP-GW> delete interface eth2.77 alias eth2.77:1
CP-GW> save config
CP-GW> exit [Expert@CP-GW:0]# ip addr show | grep eth2.77
7: eth2.77@eth2: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue state UP qlen 1000
inet 11.12.13.14/24 brd 11.12.13.255 scope global eth2.77
[Expert@CP-GW:0]#

0 Kudos
Bob_Zimmerman
Authority
Authority
Friday
In response to the_rock

If you enter the correct value (in your case, eth2.77:1), sure, the alias gets deleted.

If you enter no value, it gives you an error.

If you enter any of the infinite number of incorrect values (say you make a typo and you tell it to 'delete interface eth2.77 alias eth2.77.1' instead of eth2.77:1), it deletes the main IP instead of complaining that it couldn't find the alias.

0 Kudos
the_rock
Legend
Legend
Friday
In response to Bob_Zimmerman

Ah yes, I see what you mean, correct. That definitely could be a bug.

Andy

0 Kudos
the_rock
Legend
Legend
Friday
In response to Bob_Zimmerman

Dang, thats crazy, I totally see your point now. I just did below and it did the same thinng.

Andy

 

CP-GW> delete interface eth2.77 alias testalias
CP-GW> save config
CP-GW> exit
[Expert@CP-GW:0]# clish
CP-GW> sh interf
CLINFR0329 Invalid command:'sh'.
CP-GW> show interf
interface - Show a specific interf ace's configurations
interfaces - Lists all interfaces
CP-GW> show interface
interface - Show a specific interf ace's configurations
interfaces - Lists all interfaces
CP-GW> show interface

eth0 eth1 eth2
eth2.77 lo
CP-GW> show interface eth2.
CP-GW> show interface eth2.77
state on
mac-addr 50:01:00:07:00:02
type vlan
link-state not available
mtu 1500
auto-negotiation off (eth2)
speed 1000M (eth2)
ipv6-autoconfig Not configured
monitor-mode Not configured
duplex full (eth2)
link-speed 1000M/full (eth2)
comments
ipv4-address Not Configured
ipv6-address Not Configured
ipv6-local-link-address Not Configu red

Statistics:
TX bytes:0 packets:0 errors:0 dropp ed:0 overruns:0 carrier:0
RX bytes:0 packets:0 errors:0 dropp ed:0 overruns:0 frame:0

SD-WAN: Not Configured
CP-GW>

0 Kudos

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

View All ≫
Upcoming Events

    CheckMates Events