CP R80.10 All latest updates. Routing anomaly

Tony_Graham · ‎2019-02-12

I have a user that is trying to access a specific website. If I run an nslookup on the website I get the IP for that host. If I try to run a traceroute to that host it goes nowhere, and I mean nowhere. Even better, the CP logs do not log the event. IF I try it from our backup link with a non-CP device, it routes to host without issue. What can I do to determine why this specific site is being blocked? I have tried adding specific exemptions and rules to allow the traffic but to no avail.

Alisson_Lima · ‎2019-02-12

Hi Tony,

The first step is understand the way of packets.

- Why traceroute for destination website don't show nowhere?

- What's default gateway of user machine? Check Point firewall?

- Fw ctl zdebug drop show any drop?

- Which blades do you have enabled in this enviroment?

- How do you convert the traffic of user for alternative link non-CheckPoint.

Alisson Lima

Tony_Graham · ‎2019-02-13

The site we are dealing with is lotustalk.com. Traceroute to say google.com on same workstation works fine. The default gateway is a Checkpoint 3200. To convert to alternative link for tests I simply change the default gateway of the workstation to point at the non-Checkpoint device. Each link does have a different ISP. I have IPS/Anti-Bot/Antivirus and I use GeoPolicy. There have been no recent changes to the firewall. Access to lotustalk.com began failing February 5.

traceroute to lotustalk.com (35.241.38.148), 30 hops max, 60 byte packets
1 * * *
2 * * *
3 * * *
4 * * *
5 * * *
6 * * *
etc...

Vladimir · ‎2019-02-12

Do you actually permit ICMP and log it?

Please check the global properties first and if the ICMP and the Implied rules logging is not enabled there, create an explicit rule in your policy for this purpose.

Are you a member of CheckMates?

CP R80.10 All latest updates. Routing anomaly