This website uses cookies. By clicking Accept, you consent to the use of cookies. Click Here to learn more about how we use cookies.
Accept
Reject
ABOUT CHECKMATES & FAQ
Create a Post
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Help
Sam_Ponder
Participant
‎2021-10-08 05:37 AM

Management server behind a gateway managed by a different management server

Hi All - 

What is the best way of setting up the firewall rules/controls for a management server(6000) to manage external gateways, that is sitting behind a gateway managed by a different management server(410)?

I have tried to allow any service to/from the 6000 to/from the remote gateway and the 410 is showing allows to the traffic in the logs. However, in the logs in the 6000, I'm seeing drops due to "First packet isn't SYN".

 

Any suggestions? I have not opened a ticket yet but thought I would go this route first, in case I was missing something little.

Attached a simple diagram to incase I didn't describe it properly.

Thanks in advance.

Sam

cp-fw.jpg

 

 

0 Kudos
6 Replies
the_rock
Champion
Champion
‎2021-10-08 06:09 AM

Just to make sure I understand this right, based on your diagram, you want smart-1 6100 to be able to manage fw labeled "remote fw", right? But, the 6100 mgmt server sits behind the fw cluster thats managed by 410 server, correct?

If what I said is right, can you do capture on fw cluster and see whats happening with the traffic? First packet isnt SYN can mean asymetric routing, that it might not be part of an existing connection...maybe try turn off securexl on the fw just to be sure thats not causing the problem. I would definitely run fw monitor on the fw side to confirm why this is happening.

Andy

0 Kudos
Sam_Ponder
Participant
‎2021-10-08 06:27 AM
In response to the_rock

Yes.. you understood me correctly Andy. 

Thanks for the suggestions. I will let you know. 

G_W_Albrecht
Legend
Legend
‎2021-10-08 06:25 AM

In which logs of the 6000 SMS are you seeing drops due to "First packet isn't SYN".? It shows up in GW logs, so much i know.

CCSE CCTE SMB Specialist
0 Kudos
Sam_Ponder
Participant
‎2021-10-08 09:15 AM
In response to G_W_Albrecht

the drops show in both the logs and the zdebug command.

0 Kudos
Sam_Ponder
Participant
‎2021-10-08 09:38 AM

When I did a fw monitor on the gateway, it seems to be trying to communicate with the internal IP of the mgmt appliance instead of the public/nat'd IP. 

I remember working a ticket once where we manually edited a conf file on the gateway to point it at a different IP. Does anyone know which file that is?

When I first joined this gateway to the mgmt appliance it was on the internal network of the management appliance. The gateway seems to only know this internal IP and not the external. SIC communicates just fine and have also re-established it. I have event removed the gateway from the 6000 and readded it back. The Gateway is still using the internal IP address to try to get policy from.

Suggestions?

 

0 Kudos
PhoneBoy
Admin
Admin
‎2021-10-10 04:13 PM
In response to Sam_Ponder

$FWDIR/conf/masters.
But see: https://supportcenter.checkpoint.com/supportcenter/portal?eventSubmit_doGoviewsolutiondetails=&solut... 

0 Kudos