This website uses Cookies. Click Accept to agree to our website's cookie use as described in our Privacy Policy. Click Preferences to customize your cookie settings.
Accept
Reject
Preferences
ABOUT CHECKMATES CYBER SECURITY COMMUNITY & FAQ
Create a Post
Help
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

Are you a member of CheckMates?

×
Sign in with your Check Point UserCenter/PartnerMap account to access more great content and get a chance to win some Apple AirPods! If you don't have an account, create one now for free!
Matlu
Advisor
‎2023-06-27 06:28 AM

No traffic to FW CP.

Hello, world.

I have an environment similar to this:

LAN -> SWCORE -> Firewall CP -> INTERNET

We currently have an IPsec VPN set up against a FG.
For the moment everything is working "fine" (Except for the observation that the blessed FG, its VPN stops going down every so often, but for the CP, everything is fine).

When the VPN is up and running, we have the problem that the IP of the SRV on our side, which is going to pass through the VPN, generates traffic to the destination behind the FG, but the CP "does not see anything coming".
I have run commands like "tcpdump" "FW monitor", "fw ctl zdebug drop", and the CP does not see "nothing" of the traffic generated by the VRS (at least it should see that it reaches the Firewall, but we do not see anything).

This could be a routing problem????

It is worth mentioning that from the same GW(Checkpoint), I do a simple PING test to the SRV on our side, and it does work.
Well, I am already confused, "why" the connection to the SRV works from my side, but why I don't "see" traffic coming to my GW, when the test is launched from the same server. 😞

The IP of my SRV is 10.7.12.64

SRV.png

I would appreciate, if you can support me with any opinion that can clarify my doubt.

The IP of the SRV is inside the VPN DOMAIN on my side, and the security rule is well constructed.

Cheers. 🙂

0 Kudos
3 Replies
the_rock
Legend
Legend
‎2023-06-27 06:44 AM

Hey bro,

Ok, here is the simple question...do you even see any of that traffic reaching the firewall? Because if not, nothing can be dropped to begin with.

Andy

0 Kudos
Matlu
Advisor
‎2023-06-27 06:56 AM
In response to the_rock

Buddy, how are you?

I don't "see anything", but the Networking "team" "dies in their law" and claims, that it is not a "routing problem".

I have come to believe that it has to do with Routing, because if I don't see traffic coming to the CP Firewall, how the hell is the Firewall going to know what to do, hahaha.

But it becomes a "fight" between security and networking teams. hehehe.

The only observation I have, is that if I filter in the SMC logs, the last 7 days, if I find certain records of the SRV IP, which is the 10.7.12.64 (A few days ago we tested the VPN connection), but now when we try to test, simply, there are no logs, and no traffic arrives to the CP.

I don't know how "relevant" it is, but this IP 10.7.12.64, the previous administrator, I don't know why, but he left "several objects" created with this same IP, and I had the impression that this could be causing "conflict".
I decided to delete all the objects that seemed useless to me, and only the only object that really has several references for other types of connections has been working.

Even so, when testing, you simply do not see anything in the Checkpoint.

Cheers 🙂

0 Kudos
the_rock
Legend
Legend
‎2023-06-27 06:59 AM
In response to Matlu

Maybe simple network diagram would help, with traffic flow in question. But again, if that traffic does not hit the firewall, how can firewall do anything with it? Not to sound ironic now, but it would be same if I asked you to rev up your car to 100 km/h, but I take the gas pedal out : - )

0 Kudos

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

View All ≫
Upcoming Events

    CheckMates Events