Create a Post
cancel
Showing results for 
Search instead for 
Did you mean: 
Highlighted
Iron

Packet dropped (by forwarded between external interfaces)

Jump to solution

Hi, fellow checkmates,

 

Some customers complained about the connectivity with a server, and running "fw ctl zdebug drop" I caught the traffic being dropped as follow: "[cpu_0];[fw4_0];fw_log_drop_ex: Packet proto=6 10.0.63.4:52527 -> 10.0.202.102:5060 dropped by fw_outbound_licensing_checks Reason: forwarded between external interfaces, limited license;"

 

On the Internet, I came across a piece of information that says the firewall cannot routing traffic between two external interfaces if it doesn't have a license for it. By the way, I read that on a very old post.    

 

Anyway, I'm clueless. Can anyone help me here?

Tags (2)
0 Kudos
1 Solution

Accepted Solutions
Highlighted
check out sk65043, I think it applies to your situation

View solution in original post

5 Replies
Highlighted
check out sk65043, I think it applies to your situation

View solution in original post

Highlighted
Iron
I get it, but the thing about this sk is the solution, in particular the clarification part, and the support that I got from Check Point. The clarification part says I can fix the issue with a license like "CPSG-C-8-U". I'm sure the number 8 is about the core, and the U is unlimited. But "what is unlimited?", I asked CP support. They said it's about the remote access quantity. However, now I'm pretty sure it's about the number of hosts that will be protected by the Security Gateway. In my case, it's 50 hosts, since my license is "CPSG-C-1-50", right?
0 Kudos
Highlighted
Admin
Admin

You can look by yourself into any cp.macro file on any of your firewalls: 

Security Gateway Container for Security Gateways with 8 cores and Unlimited users

Highlighted
Admin
Admin
Yes, that license allows you to have up to 50 hosts behind your gateway.
An additional limitation we place on host- limited licenses is we do not allow traffic to be routed between interfaces that are marked as External.
This is where the error message comes from.
To resolve this issue, you either need to change your configuration so you're not routing traffic between External interfaces or get a different license.

Note that we have not sold host-limited licenses like this for a decade.
All current Open Server licenses support unlimited hosts.

One other limitation with your existing license is only a single processor core is supported.
Modern versions will definitely benefit from use of additional processor cores that modern Open Server appliances have.
You can receive trade-in credit for your existing license and get one that supports the appropriate number of cores for your hardware.
Highlighted
Iron
Thanks, everyone! By the way, I fixed the issue changing one of the external interfaces to internal, and we will try to upgrade the license ASAP using trade-in credit.
0 Kudos