Re: Testing for Outbound connection

cm_d1 · ‎2019-11-14

I was given task to set a rule for an SFTP connection for a client,

Note: They are only meant to connect to us

I have action the request.

I have ran the tcpdump -n -i (interface) (ip address) and the client said they can only see one way traffic.

what command can i run to test for the ACK packet, if what they seeing its only the SYN packet

Hope i have explained well

PhoneBoy · ‎2019-11-14

If there was an ACK packet, you would also see it with the same command.
What if you check the expected egress interface?
Do you see the SYN packet there as well?

This may be a routing issue elsewhere in the environment…or something else.

cm_d1 · ‎2019-11-14

Thanks for your response.

I agree that I should see the ACK with the same but its only showing the S

What if you check the expected egress interface?....How do i check this

If its a routing issues, what steps would i take to identify and rectify the issue.

And will it affect other rules?

PhoneBoy · ‎2019-11-15

Can you initiate an SFTP connection to the relevant server from the gateway itself?
What interface does that traffic go out? Check the routing table of the gateway.

Routing generally has nothing to do with the security policy rules you've defined.
If there's an issue, it has to be figured out hop-by-hop as a misconfiguration at any point will cause failures.

cm_d1 · ‎2019-11-15

Played around with the IPv4 Static routes

Ran the below check

Expert@Checkpoint-XZC:0]# tcpdump -i eth3 | grep XX8.XX5.XX8.2XX
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on eth3, link-type EN10MB (Ethernet), capture size 96 bytes
18:13:51.047231 IP 2XX.2XX.75.1XX.ssh > XX8.XX5.XX8.2XX.57432: S 1678793454:16787
93454(0) ack 1363649234 win 8192 <mss 1460,nop,wscale 8,sackOK,timestamp 2194787
27 825053811>
18:13:57.063198 IP XX2.1X8.XX2.X9.ssh > XX8.XX5.XX8.2XX.57432: S 1678793454:16787
93454(0) ack 1363649234 win 65535 <mss 1460,sackOK,timestamp 219479328 825053811
>
18:15:51.333489 IP 2XX.2XX.75.1XX.ssh > XX8.XX5.XX8.2XX.40193: R 3044535315:30445
35315(0) win 0
18:15:52.098913 IP XX8.XX5.XX8.2XX.36169 > 2XX.2XX.75.1XX.ssh: S 877541626:877541
626(0) win 29200 <mss 1460,sackOK,timestamp 825084874 0,nop,wscale 1>
18:15:52.099886 IP 2XX.2XX.75.1XX.ssh > XX8.XX5.XX8.2XX.36169: S 2223948158:22239
48158(0) ack 877541627 win 8192 <mss 1460,nop,wscale 8,sackOK,timestamp 21949083
1 825084874>
18:15:55.098997 IP 2XX.2XX.75.1XX.ssh > XX8.XX5.XX8.2XX.36169: S 2223948158:22239
48158(0) ack 877541627 win 8192 <mss 1460,nop,wscale 8,sackOK,timestamp 21949113
1 825084874>
18:16:01.099267 IP XX2.1X8.XX2.X9.ssh > XX8.XX5.XX8.2XX.36169: S 2223948158:22239
48158(0) ack 877541627 win 65535 <mss 1460,sackOK,timestamp 219491731 825084874>

2XX is the source IP

1XX is the Natted IP

X9 is the Gateway

is there an ACK connection?

Nick_Doropoulos · ‎2019-11-15

Hello,

Could you please use the commands mentioned and advise results again?

Also, if you use the fw monitor command and then configure Wireshark to display fw monitor's output as per instructions you should see the way that the traffic is going through all inspection points (oOiI).

PhoneBoy · ‎2019-11-15

The output doesn't make any sense because you've not consistently obscured the different IPs.
But what I see are SYN ACK (which I assume are coming from the server) followed by a RST 15 seconds later.

Also if you want to see packet captures to/from specific hosts, it's best to actually make this part of your query rather than using grep.
Recommend checking out https://tcpdump101.com/ to learn the correct syntax.

mdjmcnally · ‎2019-11-14

What Interface and What IP looking for

If two companies then silly question but where BOTH locations firewalls updated?

cm_d1 · ‎2019-11-14

Thanks for your response

Its between two companies and the firewalls have been updated to allow the change.

There is a contact flow of traffic from the other company and i can see them on the smart logs.

but there has not been any ACK if i check for outbound traffic

Nick_Doropoulos · ‎2019-11-15

Hello,

The way I would start with this would be to check the firewall's version with the following command:

1) fw ver

If it's R80.10 and below, proceed to step 2. If it's R80.20 and above, proceed to step 4.

2) fwaccel stat
3 )fwaccel off (if it's on)

4) You can run either one of the following commands to capture ack traffic:

tcpdump -i any 'tcp[tcpflags] == tcp-ack' and host <interesting IP address> -w /var/tmp/ack_traffic.pcap

or

fw monitor -e "host(interesting IP address), ip_p = 6, ack, accept;" -o /var/tmp/fwmon_traffic.pcap

5) Replicate the issue

6) fwaccel on - To re-enable SecureXL
7) fwaccel stat - To verify SecureXL has been re-enabled.

😎 Analyse the collected packet capture on Wireshark. If you used the fw monitor tool, you can follow sk39510 in order to configure Wireshark to display Check Point FireWall chains in an FW Monitor packet.

I hope this helps.

Nick_Doropoulos · ‎2019-11-15

P.S. I don't know why but Step 8 is converted into a cool smiley with sunglasses on. Tried to edit the post and it's still there.

Strange...

PhoneBoy · ‎2019-11-15

Auto-emoji, which I thought I turned off... 🙄

Are you a member of CheckMates?

Testing for Outbound connection