This website uses cookies. By clicking Accept, you consent to the use of cookies. Click Here to learn more about how we use cookies.
Accept
Reject
ABOUT CHECKMATES & FAQ
Create a Post
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Help

Are you a member of CheckMates?

×
Sign in with your Check Point UserCenter/PartnerMap account to access more great content and get a chance to win some Apple AirPods! If you don't have an account, create one now for free!
jacneto
Participant
‎2020-03-05 07:03 AM

Packet dropped (by forwarded between external interfaces)

Jump to solution

Hi, fellow checkmates,

 

Some customers complained about the connectivity with a server, and running "fw ctl zdebug drop" I caught the traffic being dropped as follow: "[cpu_0];[fw4_0];fw_log_drop_ex: Packet proto=6 10.0.63.4:52527 -> 10.0.202.102:5060 dropped by fw_outbound_licensing_checks Reason: forwarded between external interfaces, limited license;"

 

On the Internet, I came across a piece of information that says the firewall cannot routing traffic between two external interfaces if it doesn't have a license for it. By the way, I read that on a very old post.    

 

Anyway, I'm clueless. Can anyone help me here?

0 Kudos
1 Solution

Accepted Solutions
Benedikt_Weissl
Advisor
‎2020-03-05 07:34 AM

Jump to solution
check out sk65043, I think it applies to your situation

View solution in original post

5 Replies
Benedikt_Weissl
Advisor
‎2020-03-05 07:34 AM

Jump to solution
check out sk65043, I think it applies to your situation
jacneto
Participant
‎2020-03-05 08:14 AM
In response to Benedikt_Weissl

Jump to solution
I get it, but the thing about this sk is the solution, in particular the clarification part, and the support that I got from Check Point. The clarification part says I can fix the issue with a license like "CPSG-C-8-U". I'm sure the number 8 is about the core, and the U is unlimited. But "what is unlimited?", I asked CP support. They said it's about the remote access quantity. However, now I'm pretty sure it's about the number of hosts that will be protected by the Security Gateway. In my case, it's 50 hosts, since my license is "CPSG-C-1-50", right?
0 Kudos
_Val_
Admin
Admin
‎2020-03-05 08:26 AM
In response to jacneto

Jump to solution

You can look by yourself into any cp.macro file on any of your firewalls: 

Security Gateway Container for Security Gateways with 8 cores and Unlimited users

PhoneBoy
Admin
Admin
‎2020-03-05 06:10 PM
In response to jacneto

Jump to solution
Yes, that license allows you to have up to 50 hosts behind your gateway.
An additional limitation we place on host- limited licenses is we do not allow traffic to be routed between interfaces that are marked as External.
This is where the error message comes from.
To resolve this issue, you either need to change your configuration so you're not routing traffic between External interfaces or get a different license.

Note that we have not sold host-limited licenses like this for a decade.
All current Open Server licenses support unlimited hosts.

One other limitation with your existing license is only a single processor core is supported.
Modern versions will definitely benefit from use of additional processor cores that modern Open Server appliances have.
You can receive trade-in credit for your existing license and get one that supports the appropriate number of cores for your hardware.
jacneto
Participant
‎2020-03-09 07:54 AM
In response to PhoneBoy

Jump to solution
Thanks, everyone! By the way, I fixed the issue changing one of the external interfaces to internal, and we will try to upgrade the license ASAP using trade-in credit.
0 Kudos
Labels