Create a Post
cancel
Showing results for 
Search instead for 
Did you mean: 
Kul
Contributor

can ping internet but unable to browse

Hello everyone ,

i would appreciate if anyone could suggest some solutions .

 

I have configured firewall in bridge mode.It is in distributed system running R80.10 in both management and firewall.

I have this issue of not being able to browse but i can ping internet and the logs shows the traffic as accepted .

When i bypass firewall it works fine.

All hot fixes and licenses are aligned and there is not issue with it.

Below is the troubleshoot summary:

-- Checked for the drops on firewall but not getting any logs for the test machine.

-- Firewall is accepting the traffic and it is reaching to isp router as well but the communication is not happening.

-- Ping is happening properly but unable to access the same is browsers.

-- Disabled threat prevention blades, application and url filtering blade but the same issue.

-- Then enabled blades again, still the same issue.

-- You have checked with isp router by directly connecting the desktop, then you are not facing any kind issues while accessing. 

-- Created one more profile, installed the policy but no luck.

0 Kudos
9 Replies
Vladimir
Champion
Champion

If you are not seeing drops, are you seeing allows? If so, please post the log for the egress traffic here for both, ICMP and HTTP/HTTPS.

Please check in global properties as well as the properties of the network object from which you are trying to browse the settings for NAT. Check the NAT rules as well.

As this is the firewall is in bridge mode, the NAT should not be configured.

Also, check for dropped packets due to anti -spoofing:

https://supportcenter.checkpoint.com/supportcenter/portal?eventSubmit_doGoviewsolutiondetails=&solut...

 

0 Kudos
Nick_Doropoulos
Advisor

Hi Kul,

If you can ping the Internet but can't browse then you probably don't have DNS as an allowed service on the relevant policy.

Can you check if that is the case?
0 Kudos
Baasanjargal_Ts
Advisor
Advisor

I think, you need to add ACCEPT rule for DNS.

Maybe it can be, Any Any DNS ACCEPT. 

0 Kudos
Kul
Contributor

sure will do it once And i shall update you 

Chris_Atkinson
Employee Employee
Employee

Some questions for additional context:

Where are you performing the 'ping' test from and what is the destination?

How have you defined the gateway topology and are you using the "Internet" object anywhere in your policy?

CCSM R77/R80/ELITE
0 Kudos
Kul
Contributor

yes i have defined the gateway topology.
i have tried using any to internet and also any to any .
still no luck
0 Kudos
Kul
Contributor

i did ping test from users.i can ping but cant browse .
0 Kudos
Kul
Contributor

Finally solved the issue with below steps .

icmp redirect packets by running 'fw ctl set int fw_icmp_redirects 1' on the fly (does not survive after the reboot).  
  
-- Issue got resolved, after setting this parameter, and changed the maximum percentage of state table capacity allowed for non-TCP connections to 70% in the Inspection settings.  

Christopher_To
Collaborator

Hi Kul,

 

Have you encountered this issue after making the changes?

0 Kudos

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

Upcoming Events

    CheckMates Events