This website uses Cookies. Click Accept to agree to our website's cookie use as described in our Privacy Policy. Click Preferences to customize your cookie settings.
Accept
Reject
Preferences
ABOUT CHECKMATES CYBER SECURITY COMMUNITY & FAQ
Create a Post
Help
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

Are you a member of CheckMates?

×
Sign in with your Check Point UserCenter/PartnerMap account to access more great content and get a chance to win some Apple AirPods! If you don't have an account, create one now for free!
SantiagoPlatero
Collaborator
‎2019-03-19 05:21 AM

Static NAT behind transparent firewall problem

Hi community, looking good the new UI. 

First to clear the field, a quick and dirty network diagram:

 

Internet ---- < FortiGate F50 WAN interface >

                                             | |

                        < FortiGate F50 LAN interface > ---- < L2 switch > ---- < R80.20 open server external interface >

                                                                                                                \---- < other routers and devices >

 

The F50 is in transparent mode, is only logging traffic flows and it has only two rules accepting all kinds of traffic:

- src: any, dst: any, service: any incoming from the LAN to the WAN
- src: any, dst: any, service: any incoming from the WAN to the LAN

On the DMZ zone of my R80.20 I have a webserver with a static NAT configured. The issue, in this scenario, I don't have access to this webserver from outside. I see logs of the incoming traffic on the R80.20, but no traffic is seen on the webserver (I checked out with a tcpdump). If I remove the FortiGate, the problem is gone and everything works fine.

Other services connected to the L2 switch works just fine, including a S2S IPSec VPN using a Cisco ASA. The only issue is with the R80.20 when I put the F50 in the middle of it.

Maybe an ARP issue? I don't know where to start to look.

 

Thanks all

0 Kudos
4 Replies
Timothy_Hall
Legend Legend
Legend
‎2019-03-19 06:40 AM

When the F50 is inline and you are running your tcpdump, include the -e option and check the destination MAC address on the incoming frames.  My guess is that it does not match the firewall's MAC address so while the traffic is being shown by the tcpdump in promiscuous mode, the frame is not actually being sent up to the INSPECT driver for handling because the firewall's Ethernet driver does not believe that packet is actually destined for the firewall.  You can confirm this with fw monitor, which in this case would not show the inbound packet hitting the i inspection point at all. 

If the packet is showing up in fw monitor, next step will be to run fw ctl zdebug drop to determine why the INSPECT driver is dropping it.

Gateway Performance Optimization R81.20 Course
now available at maxpowerfirewalls.com
SantiagoPlatero
Collaborator
‎2019-03-19 08:00 AM
In response to Timothy_Hall

Well, I ran the fw monitor on the gateway and tcpdump on the webserver but when I was going to try accessing the server from outside... It worked!

I'm like this 0.o
0 Kudos
Timothy_Hall
Legend Legend
Legend
‎2019-03-19 08:08 AM
In response to SantiagoPlatero

Does it only work when the tcpdump is running and stops working when the tcpdump is no longer running?

 

Gateway Performance Optimization R81.20 Course
now available at maxpowerfirewalls.com
0 Kudos
SantiagoPlatero
Collaborator
‎2019-03-19 08:11 AM
In response to Timothy_Hall

Oh no, no, is working and I didn't change a thing. To summarize:

- Yesterday: put the F50 in between, the webserver stops working. So I remove the F50 as that webserver is business critical.
- Today: put the F50 in between again to do the tcpdump and fw monitor, the webserver keeps working ok.
0 Kudos

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

View All ≫
Upcoming Events

    Sort by:
    CheckMates Events