- Products
- Learn
- Local User Groups
- Partners
-
More
Celebrate the New Year
With CheckMates!
Value of Security
Vendor Self-Awareness
Join Us for CPX 360
23-24 February 2021
Important certificate update to CloudGuard Controller, CME,
and Azure HA Security Gateways
How to Remediate Endpoint & VPN
Issues (in versions E81.10 or earlier)
Mobile Security
Buyer's Guide Out Now
Important! R80 and R80.10
End Of Support around the corner (May 2021)
Hi All,
We are facing a weird issue with a particular IP accessing the ip in other subnet.
Example:
Host1 - 10.10.10.10 - Behind interface eth1.10
Host2 - 20.20.20.20 - Behind interface eth1.20
When we ping from 10.10.10.10 to 20.20.20.20 the access is not working.
when i run tcpdump on eth1.10 i can see the traffic hitting the interface but i am not seeing it when i run tcpdump on eth1.20.
When i run the fw monitor i am not seeing any traffic at all even after running it disabling the secureXL.
I run fw ctl zdebug drop | grep 10.10.10.10 i am not seeing any drops as well. So not sure what is happening to the traffic. Any suggestions please?
If you do not see any traffic on the FW even when acceleration is disabled, it is most probably an external networking issue. Please check the routing, and also check that ARP of eth1.1 appears on the adjacent networking devices.
Hi Val,
Thank you for the input. I can see both hosts arp entries on the firewall on respective interfaces. I can see traffic on source interface example echo request packet can be seen on eth1.10 but i am not seeing the same packet on eth1.20. So traffic is seen on source interface but not after that. Not even zdebug is helping me to find the packet. 😞
what fw monitor shows you?
Hi Val,
Fw monitor shows nothing.
Looks like an ARP issue to me. Check @Timothy_Hall 's recommendation below
when i run tcpdump on eth1.10 i can see the traffic hitting the interface but i am not seeing it when i run tcpdump on eth1.20.
Use the -e flag with your tcpdump on eth1.10, does the destination MAC address correspond to the firewall's interface? If not the frame is showing up in your tcpdump because the interface is placed in promiscuous mode while tcpdump is running, but because the destination MAC does not match the firewall's interface the frame is not being picked up off the wire for handling on the firewall.
Hi Timothy,
Thank you for your suggestion. We actually found the issue and yet to be fixed. I will update on this once resolved.
About CheckMates
Learn Check Point
Advanced Learning
WELCOME TO THE FUTURE OF CYBER SECURITY