cancel
Showing results for 
Search instead for 
Did you mean: 
Create a Post
Highlighted
Iron

Packet dropped (by forwarded between external interfaces)

Jump to solution

Hi, fellow checkmates,

 

Some customers complained about the connectivity with a server, and running "fw ctl zdebug drop" I caught the traffic being dropped as follow: "[cpu_0];[fw4_0];fw_log_drop_ex: Packet proto=6 10.0.63.4:52527 -> 10.0.202.102:5060 dropped by fw_outbound_licensing_checks Reason: forwarded between external interfaces, limited license;"

 

On the Internet, I came across a piece of information that says the firewall cannot routing traffic between two external interfaces if it doesn't have a license for it. By the way, I read that on a very old post.    

 

Anyway, I'm clueless. Can anyone help me here?

Tags (2)
0 Kudos
1 Solution

Accepted Solutions
Highlighted

Re: Packet dropped (by forwarded between external interfaces)

Jump to solution
check out sk65043, I think it applies to your situation

View solution in original post

5 Replies
Highlighted

Re: Packet dropped (by forwarded between external interfaces)

Jump to solution
check out sk65043, I think it applies to your situation

View solution in original post

Highlighted
Iron

Re: Packet dropped (by forwarded between external interfaces)

Jump to solution
I get it, but the thing about this sk is the solution, in particular the clarification part, and the support that I got from Check Point. The clarification part says I can fix the issue with a license like "CPSG-C-8-U". I'm sure the number 8 is about the core, and the U is unlimited. But "what is unlimited?", I asked CP support. They said it's about the remote access quantity. However, now I'm pretty sure it's about the number of hosts that will be protected by the Security Gateway. In my case, it's 50 hosts, since my license is "CPSG-C-1-50", right?
0 Kudos
Highlighted

Re: Packet dropped (by forwarded between external interfaces)

Jump to solution

You can look by yourself into any cp.macro file on any of your firewalls: 

Security Gateway Container for Security Gateways with 8 cores and Unlimited users

Highlighted
Admin
Admin

Re: Packet dropped (by forwarded between external interfaces)

Jump to solution
Yes, that license allows you to have up to 50 hosts behind your gateway.
An additional limitation we place on host- limited licenses is we do not allow traffic to be routed between interfaces that are marked as External.
This is where the error message comes from.
To resolve this issue, you either need to change your configuration so you're not routing traffic between External interfaces or get a different license.

Note that we have not sold host-limited licenses like this for a decade.
All current Open Server licenses support unlimited hosts.

One other limitation with your existing license is only a single processor core is supported.
Modern versions will definitely benefit from use of additional processor cores that modern Open Server appliances have.
You can receive trade-in credit for your existing license and get one that supports the appropriate number of cores for your hardware.
Highlighted
Iron

Re: Packet dropped (by forwarded between external interfaces)

Jump to solution
Thanks, everyone! By the way, I fixed the issue changing one of the external interfaces to internal, and we will try to upgrade the license ASAP using trade-in credit.
0 Kudos