This website uses Cookies. Click Accept to agree to our website's cookie use as described in our Privacy Policy. Click Preferences to customize your cookie settings.
Accept
Reject
Preferences
ABOUT CHECKMATES & FAQ
Create a Post
Help
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

Are you a member of CheckMates?

×
Sign in with your Check Point UserCenter/PartnerMap account to access more great content and get a chance to win some Apple AirPods! If you don't have an account, create one now for free!
jacneto
Participant
‎2020-03-05 07:03 AM
Jump to solution

Packet dropped (by forwarded between external interfaces)

Hi, fellow checkmates,

 

Some customers complained about the connectivity with a server, and running "fw ctl zdebug drop" I caught the traffic being dropped as follow: "[cpu_0];[fw4_0];fw_log_drop_ex: Packet proto=6 10.0.63.4:52527 -> 10.0.202.102:5060 dropped by fw_outbound_licensing_checks Reason: forwarded between external interfaces, limited license;"

 

On the Internet, I came across a piece of information that says the firewall cannot routing traffic between two external interfaces if it doesn't have a license for it. By the way, I read that on a very old post.    

 

Anyway, I'm clueless. Can anyone help me here?

0 Kudos
1 Solution

Accepted Solutions
Benedikt_Weissl
Advisor
‎2020-03-05 07:34 AM
Jump to solution

check out sk65043, I think it applies to your situation

View solution in original post

5 Replies
Benedikt_Weissl
Advisor
‎2020-03-05 07:34 AM
Jump to solution

check out sk65043, I think it applies to your situation
jacneto
Participant
‎2020-03-05 08:14 AM
In response to Benedikt_Weissl
Jump to solution

I get it, but the thing about this sk is the solution, in particular the clarification part, and the support that I got from Check Point. The clarification part says I can fix the issue with a license like "CPSG-C-8-U". I'm sure the number 8 is about the core, and the U is unlimited. But "what is unlimited?", I asked CP support. They said it's about the remote access quantity. However, now I'm pretty sure it's about the number of hosts that will be protected by the Security Gateway. In my case, it's 50 hosts, since my license is "CPSG-C-1-50", right?
0 Kudos
_Val_
Admin
Admin
‎2020-03-05 08:26 AM
In response to jacneto
Jump to solution

You can look by yourself into any cp.macro file on any of your firewalls: 

Security Gateway Container for Security Gateways with 8 cores and Unlimited users

PhoneBoy
Admin
Admin
‎2020-03-05 06:10 PM
In response to jacneto
Jump to solution

Yes, that license allows you to have up to 50 hosts behind your gateway.
An additional limitation we place on host- limited licenses is we do not allow traffic to be routed between interfaces that are marked as External.
This is where the error message comes from.
To resolve this issue, you either need to change your configuration so you're not routing traffic between External interfaces or get a different license.

Note that we have not sold host-limited licenses like this for a decade.
All current Open Server licenses support unlimited hosts.

One other limitation with your existing license is only a single processor core is supported.
Modern versions will definitely benefit from use of additional processor cores that modern Open Server appliances have.
You can receive trade-in credit for your existing license and get one that supports the appropriate number of cores for your hardware.
jacneto
Participant
‎2020-03-09 07:54 AM
In response to PhoneBoy
Jump to solution

Thanks, everyone! By the way, I fixed the issue changing one of the external interfaces to internal, and we will try to upgrade the license ASAP using trade-in credit.
0 Kudos

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

View All ≫
Upcoming Events

    Sort by:
    CheckMates Events