This website uses Cookies. Click Accept to agree to our website's cookie use as described in our Privacy Policy. Click Preferences to customize your cookie settings.
Accept
Reject
Preferences
ABOUT CHECKMATES CYBER SECURITY COMMUNITY & FAQ
Create a Post
Help
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

Are you a member of CheckMates?

×
Sign in with your Check Point UserCenter/PartnerMap account to access more great content and get a chance to win some Apple AirPods! If you don't have an account, create one now for free!
Noah_T
Participant
‎2021-05-20 04:16 PM

Same traffic being accepted and dropped

I'm experiencing an issue where same traffic(same source, source port, destination and destination port) is being accepted by a rule and also being dropped by cleanup rule.

 

Accept traffic settings:

Accepted by rule 121 with TCP Service Object - "MS-SQL-Server" (Protocol set to None and Match by Port 1433, Override global domain settings is chosen in 'Advanced' Tab). We have NAT happening on this traffic

Source:10.208.34.143 Destination:10.247.158.45 Service: MS-SQL-Server . This is being NAtted to SNAT:160.xx.xx.xx DNAT: 10.154.204.xx

We have static route on the firewall for both original destination and Natted destination as below

10.247.158.0/24 to x.x.x.x

10.154.204.0/24 also to x.x.x.x

 

The traffic is being accepted and natted ( we see this on CLM logs) but right below that we also see traffic being dropped. The only difference is accept traffic is on 'Mgmt' interface and dropped traffic is on another interface 'eth3'. 

The gateways are on R80.20

Any thoughts on why this is happening ? 

 

0 Kudos
3 Replies
Timothy_Hall
Legend Legend
Legend
‎2021-05-21 08:09 AM

Please provide the redacted log cards for both an accepted connection and one that is denied by the cleanup rule, ideally for the same connection if possible (indicated by an identical source port outbound and identical destination port inbound). 

If the connection being denied on the cleanup rule is some kind of "pinholed" connection with a dynamically allocated port (such as FTP data connections), that would generally indicate the firewall is not aware of or is missing the dynamic port allocation and therefore denying it as a "new" connection on the cleanup rule.

Gateway Performance Optimization R81.20 Course
now available at maxpowerfirewalls.com
0 Kudos
Noah_T
Participant
‎2021-05-21 09:49 AM
In response to Timothy_Hall

Hi Timothy, 

Thank you for the reply.

Surprisingly the issue is resolved without anyone doing any correction. 

Unfortunately I cannot share the log cards due to DLP issues. I believe Firewall was treating the same packet in two ways 

1) It was allowed by a rule then nat being performed on it and routed to external interface(eth3)

2)the same packet was routed to external interface(eth3) and this packet was coming back on eth3 interface(as per the routing on the next hop router) and being dropped by the firewall hitting the cleanup rule.

 

 

 

0 Kudos
Noah_T
Participant
‎2021-05-21 10:04 AM
In response to Timothy_Hall

Uploaded the log records. Thanks ! 

 

Currently the issue is resolved, not sure how !!

Preview file
74 KB
Preview file
56 KB
0 Kudos

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

View All ≫
Upcoming Events

    CheckMates Events