This website uses Cookies. Click Accept to agree to our website's cookie use as described in our Privacy Policy. Click Preferences to customize your cookie settings.
Accept
Reject
Preferences
ABOUT CHECKMATES CYBER SECURITY COMMUNITY & FAQ
Create a Post
Help
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

Are you a member of CheckMates?

×
Sign in with your Check Point UserCenter/PartnerMap account to access more great content and get a chance to win some Apple AirPods! If you don't have an account, create one now for free!
Christopher_Kon
Participant
‎2019-03-04 12:02 PM

Traffic matching an accept rule is dropped, log shows it hitting implied rule 0

Some of our previously accepted web traffic outbound is dropped on an accept rule, according to 

fw ctl zdebug drop | grep 207.54.179.36. This is a Hyland Systems Training website. in SmartConsole, the logs show an accept over implied rule 0, but the site never loads, and the origin/source is the NAT IP of our firewall, and not the User with the correct source IP. This seems to only occur over port 443, as port 80 is still rejected, but shows the correct source and user. We have updated IPS twice, and upgraded from take 154 to take 169 and then to take 189 (latest) on the firewalls as well as the management server. 

Our security layer (the one with the accept) is now showing a drop on rule 6 in the debug log via the CLI on the gateway. Most websites seem to be fine, we noted most of the sites affected were hosted on AWS, and from what i've seen on forums, everything from IPS, Inspection Settings, GZIP exceptions have all been the cause for some people. I found this https://community.checkpoint.com/thread/8977-drops-on-accept-rule  forum entry which seems to align with our current problem. We have a case open with TAC but they so far appear to be baffled.

Any thoughts would be appreciated. We are in a clustered environment where we have tried failovers, cpstart/stop and a rule clone to change the UUID and "refresh" the hits, all to no avail. Currently running R80.10 Take 189

0 Kudos
4 Replies
Timothy_Hall
Legend Legend
Legend
‎2019-03-05 06:59 AM

The reason for the drop stated by fw ctl zdebug drop is just the rule number?  Anything else?

Please provide output of the enabled_blades command.  The IP of the firewall showing up in the source may imply some kind of proxying being done by the firewall, possibly in the context of HTTPS Inspection or some other blade.

--
"IPS Immersion Training" Self-paced Video Class
Now Available at http://www.maxpowerfirewalls.com

Gateway Performance Optimization R81.20 Course
now available at maxpowerfirewalls.com
0 Kudos
Christopher_Kon
Participant
‎2019-03-05 07:15 AM

Timothy Hall

Thanks for the reply. My apologies. The full output of the syntax of the debug log is: [cpu_22];[fw4_34];fw_log_drop_ex: Packet proto=6 xxx.xx.xx.xx:57695 -> 18.234.32.151:443 dropped by fw_send_log_drop Reason: Rulebase drop - on layer "Perimeter-Policy Security" rule 6;
;[cpu_38];[fw4_2];fw_log_drop_ex: Packet proto=6 xxx.xx.xx.xx:57696 -> 18.234.32.151:443 dropped by fw_send_log_drop Reason: Rulebase drop - on layer "Perimeter-Policy Security" rule 6;

Security policy rule 6 is our accept rule for Outbound Web Access. The site I used that is also (ironically) having the issue is status.checkpoint.com

Enabled_Blades output fw vpn cvpn urlf av appi ips identityServer SSL_INSPECT anti_bot vpn

thanks again. We do have HTTPS inspection rolled out and inspecting, and we found last night that adding sites to an HTTPS bypass rule "fixes" this issue. But why would HTTPS inspection suddenly and randomly break a site that was working without any HTTPS/SSL validation/trust issues? 

**edit, the X's show the internal/LAN IP of the firewall as the source, and the log in SmartConsole shows the NAT/External IP of the active firewall.

Timothy_Hall
Legend Legend
Legend
‎2019-03-05 07:02 PM
In response to Christopher_Kon

Unfortunately lots of things can cause issues with sites having their HTTPS traffic inspected; the site may have changed something like required cipher suites that the firewall cannot support.  Keeping up with Jumbo HFAs is very important if using HTTPS Inspection for this reason, but it sounds like you have already taken care of that.

I'm assuming the problematic site does not come up at all, if so the initial HTTPS/TLS negotiations between the firewall and the site are probably failing.  This negotiation takes place in process space via wstlsd, would be worth a shot to take a look in $FWDIR/log/wstlsd.elg to see if any error messages are getting written in there when you try to access the site without a bypass.  Next step will be enabling a debug on wstlsd so you can see what specific problem it is having with that site, see:

sk105559: How to debug the WSTLSD daemon

--
"IPS Immersion Training" Self-paced Video Class
Now Available at http://www.maxpowerfirewalls.com

Gateway Performance Optimization R81.20 Course
now available at maxpowerfirewalls.com
Christopher_Kon
Participant
‎2019-03-14 05:14 AM
In response to Timothy_Hall

Timothy,

 

 

Thanks for all your help on this. after debugging this and grinding this one out, it was discovered as a bug in take 189. one of the kernel.conf files has a value that has something about probe bypass and this is usually set to "fail-open" but the JHF changed it to "fail-close". Here are the commands:

 

fw ctl set int bypass_on_enhanced_ssl_inspection 1      and to permanently enable this feature through a reboot:

 

In $FWDIR/modules/fwkern.conf, add this line: bypass_on_enhanced_ssl_inspection=1

 

after a reboot of the associated gateways, things are now working as intended in our Disaster Recovery cluster. we plan to move these changes to Prod next week, barring any issues over the weekend.

 

0 Kudos

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

View All ≫
Upcoming Events

    Sort by:
    CheckMates Events