This website uses Cookies. Click Accept to agree to our website's cookie use as described in our Privacy Policy. Click Preferences to customize your cookie settings.
Accept
Reject
Preferences
ABOUT CHECKMATES CYBER SECURITY COMMUNITY & FAQ
Create a Post
Help
cancel
Turn on suggestions
Showing results for 
Search instead for 
Did you mean: 

Are you a member of CheckMates?

×
Sign in with your Check Point UserCenter/PartnerMap account to access more great content and get a chance to win some Apple AirPods! If you don't have an account, create one now for free!
KM1895
Collaborator
Collaborator
‎2021-07-07 11:59 PM

ssh access issues

 

hi,

 

I have a strange challenge on a cluster. SSH access from a specific jump host is not working.

tcpdump shows that the fw receives the syn packet, but doesnt send any replies back. Smartconsole logs also show that the request is accepted, and there are no antispoofing issues.

i can access the fw on ssh from another location, which kinda adds to the whole mystery.

there is nothing logged when running zdebug drop, so for all intent and purposes, the packet is received, then "vanishes" after that.

Anyone seen anything similar before?

0 Kudos
4 Replies
Timothy_Hall
Legend Legend
Legend
‎2021-07-08 04:56 AM

Sounds like the Gaia OS is "eating" the packet, if you run fw monitor do you see the packet at capture points iI then nothing else?

In the Gaia web interface check the Allowed Hosts screen under System Management...Host Access, you probably have some Gaia-based SSH/HTTPS restrictions defined there.

Attend my Gateway Performance Optimization R81.20 course
CET (Europe) Timezone Course Scheduled for July 1-2
Bob_Zimmerman
Authority
Authority
‎2021-07-08 12:06 PM
In response to Timothy_Hall

Would also be worth confirming routing back to the jump host in question. It's possible the firewall is sending the SYN-ACK, just out a different interface than expected. The simplest way to confirm routing is with 'ip route get', like so:

[Expert@LabSC]# ip route get 1.1.1.1
1.1.1.1 via 10.0.1.1 dev eth1 src 10.0.1.253 
    cache

That output says I will use eth1 to get to that destination, and I will use the gateway address 10.0.1.1. My source for transmitted traffic will be 10.0.1.253.

0 Kudos
the_rock
Legend
Legend
‎2021-07-08 07:28 AM

Timothy actually brought up a good point...maybe do fw monitor to see what happens. Allowed Hosts in web GUI could also cause an issue if configured for specific hosts.

0 Kudos
Timothy_Hall
Legend Legend
Legend
‎2021-07-08 07:58 AM
In response to the_rock

Yes and because the SSH traffic is to the gateway itself, that traffic will always go F2F so no need to disable SecureXL for the traffic to be visible with fw monitor -e.

Attend my Gateway Performance Optimization R81.20 course
CET (Europe) Timezone Course Scheduled for July 1-2
0 Kudos

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

View All ≫
Upcoming Events

    Sort by:
    CheckMates Events
    li.common.scroll-to.top