This website uses Cookies. Click Accept to agree to our website's cookie use as described in our Privacy Policy. Click Preferences to customize your cookie settings.
Accept
Reject
Preferences
ABOUT CHECKMATES CYBER SECURITY COMMUNITY & FAQ
Create a Post
Help
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
katarina_
Participant
16 hours ago

Dynamic objects from ACI not working

Hello Community,

we have an issue with dynamic objects imported from ACI and used in Access Control policy.

When we use static network objects, the traffic works fine. But when we replace it with dyn obj (imported form ACI) for the same subnet, the traffic does not match the rule and gets dropped by cleanup.

Environment:

  • Check Point is synced with Identity Awareness on the gateway
  • Check Point does not show any error in logs regarding the dynamic object
  • In SmartConsole, the dynamic object shows the correct hosts inside
  • with fw ctl zdebug + drop, we see traffic dropped by cleanup rule when the dynamic object is used as destination.

Tech Specs:

  • Hyperscale Maestro Solution 9700 running VS
  • Product version Check Point Gaia R81.20
  • HOTFIX_R81_20_JUMBO_HF_MAIN Take: 113

Is this known limitation or bug when using ACI dyn objects?

Are there any recommendations for debugging this further, or a known fix/workaround other then replacing with a static subnet?

Thanks in advance!

K.

 

 

 

 

0 Kudos
1 Reply
Chris_Atkinson
Employee Employee
Employee
12 hours ago

Are the drops seen in debugs definitely for active machines?

Anything of interest in: cloud_proxy.elg

What do you see with "pep show user query cid a.b.c.d"

 

CCSM R77/R80/ELITE
0 Kudos

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

View All ≫
 
Upcoming Maestro Events

    CheckMates Events