This website uses Cookies. Click Accept to agree to our website's cookie use as described in our Privacy Policy. Click Preferences to customize your cookie settings.
Accept
Reject
Preferences
ABOUT CHECKMATES CYBER SECURITY COMMUNITY & FAQ
Create a Post
Help
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

Are you a member of CheckMates?

×
Sign in with your Check Point UserCenter/PartnerMap account to access more great content and get a chance to win some Apple AirPods! If you don't have an account, create one now for free!
rmothers
Explorer
‎2020-12-16 12:50 AM

Some traffic is being prevented but it looks like it's getting through on logs

I have a deployment of 2 x 5400 Checkpoint Appliances in HA pair running R80.40 and no separate management server (yet).  I have just deployed these firewalls to replace a pair of 4400 appliances which are end of life and would not upgrade.

I'm seeing some rather strange behaviour with certain traffic across these firewalls.  I have attached an overview of the network topology.  Each LAN (1-7) is connected to a VLAN interface which is set as a cluster, the topology is set  as 'This Network (Internal) with specific subnets that reside within and beyond the individual LANs (LAN 1 for example has itself and a second class C network) identified as a network group; the security zone is set to 'user defined' and anti spoofing is set Prevent and Log.  The CONFIG LAN interface is a cluster, its topology is external and set to lead to Internet (although it doesn't go to the internet itself it routes through to Corporate via another set of firewalls), the security zone is user defined and topology is set to detect and log.

In the LAN identified as CONFIG LAN I have an Active Directory (AD) with 2 way trusts down to each AD in the individual LANs.  When I route the traffic between the CONFIG LAN and any of the other individual LANs through these Checkpoints the trusts can no longer validate and DNS cannot resolve a ping to any of the individual LANs.  The logs do show the DNS request passing across the Checkpoints.  However, this trust was established and working on the recently decommissioned firewalls. An IP to IP ping works without issue as does tracert.  I have one or two other applications which exhibit the same behaviour (LAN 5 to LAN 7 on TCP port 8100 - can see it in the logs but the devices at each end aren't able to communicate).

As part of the swap out I implemented some temporary firewalls to route the Information LAN traffic away from the Checkpoints so there was no interruption to that particular traffic flow.  I am able to route the AD Trust traffic across the temporary firewall setup with no issue.  However, there is no redundancy or resiliency within that temporary setup and the devices have very poor logging facility.

I replicated the set up on the 4400s to the 5400s with a bit of rule tidying (obsolete rules removed and objects grouped appropriately) see screen capture attached - I'm just looking for places to start to investigate really so any suggestions will be welcome.  Waiting for support provider to get back to me as well.

I have tried opening the rules wide open to allow the CONFIG LAN domain controllers and the LAN domain controllers to use any service and application but to no effect.

Thanks in advance

Bob

Preview file
74 KB
Preview file
139 KB
0 Kudos
6 Replies
_Val_
Admin
Admin
‎2020-12-16 01:05 AM

Any drop logs/debugs for this traffic?

0 Kudos
rmothers
Explorer
‎2020-12-16 01:07 AM

Hi Val

That's one of the issues there is no dropped traffic showing - I'll post some logs up in a bit - I'll have to reroute some traffic to accommodate

Bob

0 Kudos
rmothers
Explorer
‎2020-12-16 02:16 AM

Updated topology attached (forgot connections to LANs 5 & 6)

 

Preview file
74 KB
0 Kudos
rmothers
Explorer
‎2020-12-16 02:25 AM

Some further screenshots and log output

Preview file
648 KB
0 Kudos
_Val_
Admin
Admin
‎2020-12-16 02:44 AM
In response to rmothers

I think you are missing the point. Did you run any trace and debugs on your security gateways to see what's going on? There are two possibilities:

1. Either packets are getting lost somewhere outside of your GW, or

2. They are being silently dropped by GW.

Traces with "fw monitor" and "fw ctl debug" with "drop" option should give you a direction where to looks

0 Kudos
rmothers
Explorer
‎2020-12-16 08:27 AM

Issue is now resolved as support provider got in touch and immediately suggested applying Jumbo Hotfix (Take 89) as they were still on base build.  I hadn't realised the build I'd used did not have the relevant hotfix bundled with it.  Took a while to get them there but now the traffic is flowing as expected.  If you made it this far thanks for reading.

0 Kudos

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

View All ≫
Upcoming Events

    CheckMates Events