This website uses Cookies. Click Accept to agree to our website's cookie use as described in our Privacy Policy. Click Preferences to customize your cookie settings.
Accept
Reject
Preferences
ABOUT CHECKMATES CYBER SECURITY COMMUNITY & FAQ
Create a Post
Help
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

Are you a member of CheckMates?

×
Sign in with your Check Point UserCenter/PartnerMap account to access more great content and get a chance to win some Apple AirPods! If you don't have an account, create one now for free!
buridango
Explorer
‎2020-08-30 05:53 AM
Jump to solution

No access to Internet

Hello, Everyone!

 

I have an issue with Check Point Security Gateway R80.10. Clients cannot access Internet resources (for example http/https web-pages), though they can ping External IPs and DNS (8.8.8.8 and google.com). I have default access policy as accept all, threat prevention policy is disabled, Automatic NAT. Looking for help to resolve this issue. For http/https traffic log shows accept, check screenshots below, thanks in advance.

 

1.JPG2.JPG3.JPG4.JPG

0 Kudos
1 Solution

Accepted Solutions
Timothy_Hall
Legend Legend
Legend
‎2020-08-30 08:37 AM
Jump to solution

If ping works but nothing else, it usually means other traffic is being denied by your APCL/URLF layer.  Ping is not an application (and need only match a rule in the Network/Firewall policy layer) but practically everything else including DNS is.  Click the Matched Rules tab on your log card.

Beyond that run fw ctl zdebug drop and try to pass some traffic.  If you don't see a drop in that output it is a routing (or possibly NAT) issue of some kind.

Attend my online "Be your Own TAC: Part Deux" CheckMates event
March 27th with sessions for both the EMEA and Americas time zones

View solution in original post

0 Kudos
7 Replies
Timothy_Hall
Legend Legend
Legend
‎2020-08-30 08:37 AM
Jump to solution

If ping works but nothing else, it usually means other traffic is being denied by your APCL/URLF layer.  Ping is not an application (and need only match a rule in the Network/Firewall policy layer) but practically everything else including DNS is.  Click the Matched Rules tab on your log card.

Beyond that run fw ctl zdebug drop and try to pass some traffic.  If you don't see a drop in that output it is a routing (or possibly NAT) issue of some kind.

Attend my online "Be your Own TAC: Part Deux" CheckMates event
March 27th with sessions for both the EMEA and Americas time zones
0 Kudos
Maarten_Sjouw
Champion
Champion
‎2020-08-30 10:26 AM
In response to Timothy_Hall
Jump to solution

Or a little bit more important they cannot do DNS... try to ping www.google.com and see if it resolves.

Regards, Maarten
0 Kudos
buridango
Explorer
‎2020-08-30 11:58 AM
In response to Maarten_Sjouw
Jump to solution

Thanks for Reply.

 

As I mentioned earlier, icmp available by IP and DNS, so this is not a problem.

0 Kudos
buridango
Explorer
‎2020-08-30 11:58 AM
In response to Timothy_Hall
Jump to solution

Thanks for Reply, Timothy

I issued command fw ctl zdebug drop and there drops fom one address subnet I don't have:


;[cpu_3];[fw4_0];fw_log_drop_ex: Packet proto=6 178.34.109.191:10400 -> 173.194.73.95:443 dropped by cphwd_offload_connkey Reason: VPN and/or NAT traffic between accelerated and non-accelerated interfaces or between non-accelerated interfaces is not allowed;
;[cpu_3];[fw4_0];fw_log_drop_ex: Packet proto=6 178.34.109.191:10401 -> 108.177.14.101:443 dropped by cphwd_offload_connkey Reason: VPN and/or NAT traffic between accelerated and non-accelerated interfaces or between non-accelerated interfaces is not allowed;
;[cpu_3];[fw4_0];fw_log_drop_ex: Packet proto=6 178.34.109.191:10399 -> 162.159.129.233:443 dropped by cphwd_offload_connkey Reason: VPN and/or NAT traffic between accelerated and non-accelerated interfaces or between non-accelerated interfaces is not allowed;
;[cpu_3];[fw4_0];fw_log_drop_ex: Packet proto=6 178.34.109.191:10400 -> 173.194.73.95:443 dropped by cphwd_offload_connkey Reason: VPN and/or NAT traffic between accelerated and non-accelerated interfaces or between non-accelerated interfaces is not allowed;
;[cpu_3];[fw4_0];fw_log_drop_ex: Packet proto=6 178.34.109.191:10402 -> 35.186.224.47:443 dropped by cphwd_offload_connkey Reason: VPN and/or NAT traffic between accelerated and non-accelerated interfaces or between non-accelerated interfaces is not allowed;
;[cpu_3];[fw4_0];fw_log_drop_ex: Packet proto=6 178.34.109.191:10396 -> 173.194.73.95:443 dropped by cphwd_offload_connkey Reason: VPN and/or NAT traffic between accelerated and non-accelerated interfaces or between non-accelerated interfaces is not allowed;
Defaulting all kernel debugging options

 

Here tab matched rules

5.JPG

0 Kudos
buridango
Explorer
‎2020-08-30 12:04 PM
In response to buridango
Jump to solution

Okay, I found solution. I have PPPoE and Checkpoint has something called SecureXL wich is in conflict, I disabled and everything is working now.

0 Kudos
PhoneBoy
Admin
Admin
‎2020-08-30 02:31 PM
In response to buridango
Jump to solution

In R80.20+, disabling SecureXL isn’t required.
More specifically, SecureXL will automatically not accelerate PPPoE interfaces without requiring you to disable SecureXL entirely.

0 Kudos
_Val_
Admin
Admin
‎2020-08-30 11:37 PM
In response to PhoneBoy
Jump to solution

In fact, you cannot completely disable SXL in R80.20+ anymore

0 Kudos

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

View All ≫
Upcoming Events

    Sort by:
    In-Person

    Tue 18 Mar 2025 @ 09:30 AM (EET)

    CheckMates Live Greece
    In-Person

    Tue 25 Mar 2025 @ 09:00 AM (EDT)

    Canada In-Person Cloud Security with Hands-On CloudGuard Workshops!
    In-Person

    Tue 25 Mar 2025 @ 12:00 PM (MDT)

    Salt Lake City: CPX 2025 Recap
    In-Person

    Tue 08 Apr 2025 @ 12:00 PM (MDT)

    Denver: CPX 2025 Recap
    CheckMates Events