- Products
- Learn
- Local User Groups
- Partners
-
More
Join Us for CPX 360
23-24 February 2021
Important certificate update to CloudGuard Controller, CME,
and Azure HA Security Gateways
How to Remediate Endpoint & VPN
Issues (in versions E81.10 or earlier)
IDC Spotlight -
Uplevel The SOC
Important! R80 and R80.10
End Of Support around the corner (May 2021)
We are working on an issue with one of our remote office. The site has two 5600 appliances in a cluster, the issue occurring is in regards to a sudden spike of traffic from the checkpoint gateway's external interface talking out to digicert over port 80. The return traffic tends to be excessive enough to cause the cisco edge switch to start dropping packets. This causes the sslvpn to go down causing disconnections for the remote workforce out there.
Not really sure why the gateway would be receiving so much traffic from digicert. Anyone seen this behavior before?
PhoneBoy
If you have HTTPS Inspection enabled and/or the gateway is R80.40, I suspect it’s because we are validating certificates in flight.
That is done out-of-band.
Hello Dameon,
No https inspection and running 80.10. It looks like the IP resolves to ocsp.digicert.com
So i am guessing this is something going wrong with ocsp every few hours. The issue lasts for about 5 to 10 minutes before going away. It seems to happen approximately every 4 hours but sometimes misses the 4 hour mark.
Regards,
Nandhu
PhoneBoy
That’s definitely CRL validation.
I recommend a TAC case to assist in investigation.
.png "Wolfgang"){kind=avatar}
Wolfgang
Are you sure traffic source is your gateway, not something behind from the internal network which will be NATed?
Maybee some suspicious clients they do excessive CRL validations.
Wolfgang
Hello Dameon and Wolfgang,
We are looking at some of the automation scripts that the QA teams use. But the timing of their requests and traffic on the firewall does not match up.
We do have a TAC case open and I am in the process of collecting debugs.
Nandhu
Dear Nandhu,
How did it go with this case? We face something similar here, yet it seems that the connection is initiated by the firewall itself and not something internal and NATted to it, because of the curl_cli that is related.
[Expert@fw1:0]# lsof -n -i :80
COMMAND PID USER FD TYPE DEVICE SIZE NODE NAME
curl_cli 2343 admin 10u IPv4 33694501 TCP <fwIP>:47426->93.184.220.29:http (ESTABLISHED) ( ---> ocsp.digicert.com )
Any updates regarding this?
Thank you.
Best Regards,
Good Morning,
We pulled digicert certs from the firewall, followed by a jumbo and reboot. Seems to have cleared out the issue on our end. We added back the cert for one of our sslvpn firewalls and are not seeing the behavior anymore.
The problem now is that we do not know which of the 3 things we did solved the issue. I wish I could have been more helpful.
Regards,
Nandhu
About CheckMates
Learn Check Point
Advanced Learning
WELCOME TO THE FUTURE OF CYBER SECURITY