Create a Post
Showing results for 
Search instead for 
Did you mean: 

There is no ping to the DMZ

Hello Check Mates.

There are 2 local networks. For example, first local with PCs and the second one is

There are a lot of rules on the Check Point Security Gateway, but all of them are chaged to Accept.

In the global properties Accept ICMP is disabled. Although I changed it to first, then before last, so none of them didn't help.

Also there are NO LOGS about ICMP except nbmudp (Idk how to write it correctly) to that host, which is allowed. In the Track field logging was enabled at the all rules in the policy.

I have only one explanation of that: this is a lag of SmartConsole or Gateway.

 Is that possible? Have you ever faced with that problem? Does lagging of Check Point able to do this?

0 Kudos
2 Replies

The best way to troubleshoot this is what I like to call "follow the bouncing packet."

Pick a host in one subnet and ping one in the target one.

Use tcpdump or fw monitor to see if the ICMP Echo Request packet from the source arrives on the appropriate interface.

I can provide more guidance if you answer the following questions:

  1. Does the ICMP Echo Request from the host arrive to the gateway on the expected interface? (If not, it's probably a routing issue elsewhere unrelated to the firewall)
  2. Does the ICMP Echo Request from the host leave the gateway towards the destination host on the expected interface? (If not, that will require some troubleshooting)
  3. If the ICMP Echo Request is sent towards the host, does an ICMP Echo Reply arrive from the destination host on the same interface? (If not, it's probably a routing/ARP issue)

Thank you, Dameon! It's certainly useful information for my future issues.

The problem was solved. You're right, it may be related to the routing through approriate interfaces. So the client changed an interface on DMZ server and the ping appeared.

0 Kudos


Epsum factorial non deposit quid pro quo hic escorol.

Upcoming Events

    CheckMates Events