Create a Post
cancel
Showing results for 
Search instead for 
Did you mean: 
rmothers
Explorer

Some traffic is being prevented but it looks like it's getting through on logs

I have a deployment of 2 x 5400 Checkpoint Appliances in HA pair running R80.40 and no separate management server (yet).  I have just deployed these firewalls to replace a pair of 4400 appliances which are end of life and would not upgrade.

I'm seeing some rather strange behaviour with certain traffic across these firewalls.  I have attached an overview of the network topology.  Each LAN (1-7) is connected to a VLAN interface which is set as a cluster, the topology is set  as 'This Network (Internal) with specific subnets that reside within and beyond the individual LANs (LAN 1 for example has itself and a second class C network) identified as a network group; the security zone is set to 'user defined' and anti spoofing is set Prevent and Log.  The CONFIG LAN interface is a cluster, its topology is external and set to lead to Internet (although it doesn't go to the internet itself it routes through to Corporate via another set of firewalls), the security zone is user defined and topology is set to detect and log.

In the LAN identified as CONFIG LAN I have an Active Directory (AD) with 2 way trusts down to each AD in the individual LANs.  When I route the traffic between the CONFIG LAN and any of the other individual LANs through these Checkpoints the trusts can no longer validate and DNS cannot resolve a ping to any of the individual LANs.  The logs do show the DNS request passing across the Checkpoints.  However, this trust was established and working on the recently decommissioned firewalls. An IP to IP ping works without issue as does tracert.  I have one or two other applications which exhibit the same behaviour (LAN 5 to LAN 7 on TCP port 8100 - can see it in the logs but the devices at each end aren't able to communicate).

As part of the swap out I implemented some temporary firewalls to route the Information LAN traffic away from the Checkpoints so there was no interruption to that particular traffic flow.  I am able to route the AD Trust traffic across the temporary firewall setup with no issue.  However, there is no redundancy or resiliency within that temporary setup and the devices have very poor logging facility.

I replicated the set up on the 4400s to the 5400s with a bit of rule tidying (obsolete rules removed and objects grouped appropriately) see screen capture attached - I'm just looking for places to start to investigate really so any suggestions will be welcome.  Waiting for support provider to get back to me as well.

I have tried opening the rules wide open to allow the CONFIG LAN domain controllers and the LAN domain controllers to use any service and application but to no effect.

Thanks in advance

Bob

0 Kudos
Reply
6 Replies
_Val_
Admin
Admin

Any drop logs/debugs for this traffic?

0 Kudos
Reply
rmothers
Explorer

Hi Val

That's one of the issues there is no dropped traffic showing - I'll post some logs up in a bit - I'll have to reroute some traffic to accommodate

Bob

0 Kudos
Reply
rmothers
Explorer

Updated topology attached (forgot connections to LANs 5 & 6)

 

0 Kudos
Reply
rmothers
Explorer

Some further screenshots and log output

0 Kudos
Reply
_Val_
Admin
Admin

I think you are missing the point. Did you run any trace and debugs on your security gateways to see what's going on? There are two possibilities:

1. Either packets are getting lost somewhere outside of your GW, or

2. They are being silently dropped by GW.

Traces with "fw monitor" and "fw ctl debug" with "drop" option should give you a direction where to looks

0 Kudos
Reply
rmothers
Explorer

Issue is now resolved as support provider got in touch and immediately suggested applying Jumbo Hotfix (Take 89) as they were still on base build.  I hadn't realised the build I'd used did not have the relevant hotfix bundled with it.  Took a while to get them there but now the traffic is flowing as expected.  If you made it this far thanks for reading.

0 Kudos
Reply