This website uses Cookies. Click Accept to agree to our website's cookie use as described in our Privacy Policy. Click Preferences to customize your cookie settings.
Accept
Reject
Preferences
ABOUT CHECKMATES CYBER SECURITY COMMUNITY & FAQ
Create a Post
Help
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

Are you a member of CheckMates?

×
Sign in with your Check Point UserCenter/PartnerMap account to access more great content and get a chance to win some Apple AirPods! If you don't have an account, create one now for free!
Heine_Vargas
Participant
‎2019-07-01 07:14 PM

Security Gateway internal traffic // dropped by stealth rule

Hello all:

I'm relatively new at Check Point things and I have almost one year as a security administrator and currently pursuing the CCSA R80 🙂

 

About two months ago, my SOC colleagues have noticed that it was a dropped traffic alert. When investigating a little further, I noticed that there was dropped traffic from one Security Gatewat to itself (Stealth rule matched), from and to the same source / destination ports, like the example below:

 

(src_IP;src_port, dst_IP:dst_port)

Security_GW_IP:56651 Security_GW_IP:56651
Security_GW_IP:38264 Security_GW_IP:38264
Security_GW_IP:44991 Security_GW_IP:44991
Security_GW_IP:53525 Security_GW_IP:53525
Security_GW_IP:38650 Security_GW_IP:38650
Security_GW_IP:65155 Security_GW_IP:65155
Security_GW_IP:40397 Security_GW_IP:40397
Security_GW_IP:58272 Security_GW_IP:58272
Security_GW_IP:57116 Security_GW_IP:57116
Security_GW_IP:37972 Security_GW_IP:37972
Security_GW_IP:48424 Security_GW_IP:48424
Security_GW_IP:37001 Security_GW_IP:37001
Security_GW_IP:46269 Security_GW_IP:46269
Security_GW_IP:47290 Security_GW_IP:47290
Security_GW_IP:40848 Security_GW_IP:40848
Security_GW_IP:62771 Security_GW_IP:62771
Security_GW_IP:40749 Security_GW_IP:40749
Security_GW_IP:35696 Security_GW_IP:35696
Security_GW_IP:64525 Security_GW_IP:64525
Security_GW_IP:47796 Security_GW_IP:47796

 

+++++++++++++++++++++++++++++++++++++++++++++++++++++++

More info:

In the rulebase regarding the implied Security GW, there is first one rule that allows traffic from the security GW to any destination, and then there is the stealth rule.

 

--

At the moment, I have no found anything that can become clearer the reason of that type of traffic. Do you know if there is any kind of service to which we can attribute this behavior. BTW, I have also noticed that it occurs just to Standby security GWs, within a Active / Standby operation mode.

 

Rather than solve a job requirement, I want to learn 🙂

 

Heine_Vargas

 

0 Kudos
4 Replies
PhoneBoy
Admin
Admin
‎2019-08-06 04:30 PM

The gateway does loopback traffic to itself, but not to/from the same port.
Did you get this information from SmartLog/SmartView or from your SIEM?
0 Kudos
Heine_Vargas
Participant
‎2019-08-06 04:35 PM
In response to PhoneBoy

Hello Phoneboy, nice to read you:

I got the logs from the SmartConsole Logs tab.

Greetings

 

 

0 Kudos
PhoneBoy
Admin
Admin
‎2019-08-06 05:20 PM
In response to Heine_Vargas

There are several processes the gateway has that "talk to itself"--it would be difficult to isolate exactly what it causing it.
That said, it shouldn't show in the logs.
Might be worth logging a TAC case to investigate.
0 Kudos
Heine_Vargas
Participant
‎2019-08-06 05:39 PM
In response to PhoneBoy

I'm gonna take your advice in account and suggest to my customer to opening a TAC case to investigate.

As an additional info -And the most weird, IMHO- , I have tried to track the Smarconsole traffic mentioned above by issuing fw monitor and tcpdump, and I have no found that traffic within the .pcap file (through wireshark).

I tell you how the case is going ASAP.

Thank you!

Heine

0 Kudos

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

View All ≫
Upcoming Events

    Sort by:
    CheckMates Events