Re: can ping internet but unable to browse

Kul · ‎2019-05-18

Hello everyone ,

i would appreciate if anyone could suggest some solutions .

I have configured firewall in bridge mode.It is in distributed system running R80.10 in both management and firewall.

I have this issue of not being able to browse but i can ping internet and the logs shows the traffic as accepted .

When i bypass firewall it works fine.

All hot fixes and licenses are aligned and there is not issue with it.

Below is the troubleshoot summary:

-- Checked for the drops on firewall but not getting any logs for the test machine.

-- Firewall is accepting the traffic and it is reaching to isp router as well but the communication is not happening.

-- Ping is happening properly but unable to access the same is browsers.

-- Disabled threat prevention blades, application and url filtering blade but the same issue.

-- Then enabled blades again, still the same issue.

-- You have checked with isp router by directly connecting the desktop, then you are not facing any kind issues while accessing.

-- Created one more profile, installed the policy but no luck.

Vladimir · ‎2019-05-19

If you are not seeing drops, are you seeing allows? If so, please post the log for the egress traffic here for both, ICMP and HTTP/HTTPS.

Please check in global properties as well as the properties of the network object from which you are trying to browse the settings for NAT. Check the NAT rules as well.

As this is the firewall is in bridge mode, the NAT should not be configured.

Also, check for dropped packets due to anti -spoofing:

https://supportcenter.checkpoint.com/supportcenter/portal?eventSubmit_doGoviewsolutiondetails=&solut...

Nick_Doropoulos · ‎2019-05-19

Hi Kul,

If you can ping the Internet but can't browse then you probably don't have DNS as an allowed service on the relevant policy.

Can you check if that is the case?

Baasanjargal_Ts · ‎2019-05-19

I think, you need to add ACCEPT rule for DNS.

Maybe it can be, Any Any DNS ACCEPT.

Kul · ‎2019-05-19

sure will do it once And i shall update you

Chris_Atkinson · ‎2019-05-20

Some questions for additional context:

Where are you performing the 'ping' test from and what is the destination?

How have you defined the gateway topology and are you using the "Internet" object anywhere in your policy?

CCSM R77/R80/ELITE

Kul · ‎2019-05-20

yes i have defined the gateway topology.
i have tried using any to internet and also any to any .
still no luck

Kul · ‎2019-05-20

i did ping test from users.i can ping but cant browse .

Kul · ‎2019-05-20

Finally solved the issue with below steps .

icmp redirect packets by running 'fw ctl set int fw_icmp_redirects 1' on the fly (does not survive after the reboot).

-- Issue got resolved, after setting this parameter, and changed the maximum percentage of state table capacity allowed for non-TCP connections to 70% in the Inspection settings.

Christopher_To · ‎2019-08-28

Hi Kul,

Have you encountered this issue after making the changes?

Are you a member of CheckMates?

can ping internet but unable to browse