Re: can't ping gateway firewall even i install pol...

ilirz · ‎2023-04-04

I lost communication with a gateway checkpoint open server R 77.30 after installed a simple policy where i allowed a service.

I can not ping even from the Lan network the to Lan interfaces.

Has anyone faced this problem ?

After that i did fw unloadlocal command to the gateway ,at this moment I ping from the Lan of the branch the gateway of checkpoint at branch but not pass traffic to the center.

the route and all thing are ok. just gateway firewall not let traffic to pass from the LAN.

license of this gateway firewall has more than 10 years but is never expire does it have to do with the license?

Chris_Atkinson · ‎2023-04-05

Are you attempting to ping from a directly connected subnet or elsewhere, was the gateway rebooted?

The "fw unloadlocal" command prevents all traffic from passing through the Security Gateway (Cluster Member), because it disables the IP Forwarding in the Linux kernel on the Security Gateway (Cluster Member).

Note: R77.30 is no longer supported please refer:

https://www.checkpoint.com/support-services/support-life-cycle-policy/#software-support

CCSM R77/R80/ELITE

ilirz · ‎2023-04-05

Thanks Chris, i ping frpm the lan network directly connected with checkpoint gateway.

I rebooted also but the same problem.

I have facing the same problem with 3 other gateway open server R 77.30 .

After policy install they not let traffic to pass and no logs for traffic.

Timothy_Hall · ‎2023-04-05

You have an antispoofing problem, correct your interface and topology settings on your gateway object(s), run fw unloadlocal on the gateways then reinstall policy to them.

Gaia 4.18 (R82) Immersion Tips, Tricks, & Best Practices Video Course
Now Available at https://shadowpeak.com/gaia4-18-immersion-course

ilirz · ‎2023-04-06

Hi Timothy

I have faced the same problem with 3 checkpoint gateway open server R77.30.

At the moment that i installed new policy the communication with gateway lost and even from local lan direct connected can not ping local checkpoint gateway.

Does it have to do with the license or the version r 77.30 because those security gateway have been licensed since 2012 and license say never.

I can not find the reason why it happen in a short time with three gateway after policy install both of them are R 77.30 and licensed since 2012 only FW, VPN, IA?

Timothy_Hall · ‎2023-04-06

It is not your license, it is your topology definitions. After installing policy to your gateway and things aren't working, run these commands:

fw ctl set int fw_antispoofing_enabled 0

sim feature anti_spoofing off; fwaccel off; fwaccel on

Do things work now? It is your topology definitions that have a problem, your issue has nothing to do with your license.

Gaia 4.18 (R82) Immersion Tips, Tricks, & Best Practices Video Course
Now Available at https://shadowpeak.com/gaia4-18-immersion-course

the_rock · ‎2023-04-06

Just do basic zdebug command on the fw when you have this issue...yea, R77.30 is not supported since few years back, but this has zero to do with the version : - ). Anyway, say if you are coming from 10.50.10.50 pinging the fw, when it fails, just ssh to the box and run below from expert mode:

fw ctl zdebug + drop | grep 10.50.10.50

the observe the drops, it would show you the behavior

You can also do following -> fw monitor -e "accept host(10.50.10.50) and icmp;"

Hope those help.

Andy

Best,
Andy

Chris_Atkinson · ‎2023-04-06

Whilst I agree with @Timothy_Hall

Can you also confirm the JHF/Jumbo used with these gateways and do they use proxy-arp?

CCSM R77/R80/ELITE

Are you a member of CheckMates?

can't ping gateway firewall even i install policy any to any