Create a Post
cancel
Showing results for 
Search instead for 
Did you mean: 
ilirz
Participant

can't ping gateway firewall even i install policy any to any

I lost communication with a gateway checkpoint open server R 77.30 after installed a simple policy where i allowed a service.

I can not ping even from the Lan network the to Lan interfaces.

Has anyone faced this problem ?

After that i did fw unloadlocal  command to the gateway ,at this moment I  ping from the Lan of the branch the gateway of checkpoint at branch but not pass traffic to the center.

the route and all thing are ok. just gateway firewall not let traffic to pass from the LAN.

 

license of this gateway firewall has more than 10 years but is never expire does it have to do with the license?

 

0 Kudos
7 Replies
Chris_Atkinson
Employee Employee
Employee

Are you attempting to ping from a directly connected subnet or elsewhere, was the gateway rebooted?

The "fw unloadlocal" command prevents all traffic from passing through the Security Gateway (Cluster Member), because it disables the IP Forwarding in the Linux kernel on the Security Gateway (Cluster Member).

 

 

Note: R77.30 is no longer supported please refer: 

https://www.checkpoint.com/support-services/support-life-cycle-policy/#software-support 

CCSM R77/R80/ELITE
0 Kudos
(1)
ilirz
Participant

Thanks Chris, i ping frpm the lan network directly connected with checkpoint gateway.

I rebooted also but the same problem.

I have facing the same problem with 3 other gateway open server R 77.30 .

After policy install they not let traffic to pass and no logs for traffic.

0 Kudos
Timothy_Hall
Legend Legend
Legend

You have an antispoofing problem, correct your interface and topology settings on your gateway object(s), run fw unloadlocal on the gateways then reinstall policy to them.

Gateway Performance Optimization R81.20 Course
now available at maxpowerfirewalls.com
(1)
ilirz
Participant

Hi Timothy 

I have faced the same problem with 3 checkpoint gateway open server R77.30.

At the moment that i installed new policy the communication with gateway lost  and even from local lan direct connected can not ping local checkpoint gateway.

Does it have to do with the license or the version r 77.30 because those security gateway have been licensed since 2012 and license say never.

I can not find the reason why it happen in a short time with three gateway after policy install  both of them are R 77.30 and licensed since 2012 only FW, VPN, IA?

0 Kudos
Timothy_Hall
Legend Legend
Legend

It is not your license, it is your topology definitions.  After installing policy to your gateway and things aren't working, run these commands:

fw ctl set int fw_antispoofing_enabled 0
sim feature anti_spoofing off; fwaccel off; fwaccel on
 
Do things work now?  It is your topology definitions that have a problem, your issue has nothing to do with your license.
 
Gateway Performance Optimization R81.20 Course
now available at maxpowerfirewalls.com
0 Kudos
the_rock
Legend
Legend

Just do basic zdebug command on the fw when you have this issue...yea, R77.30 is not supported since few years back, but this has zero to do with the version : - ). Anyway, say if you are coming from 10.50.10.50 pinging the fw, when it fails, just ssh to the box and run below from expert mode:

fw ctl zdebug + drop | grep 10.50.10.50

the observe the drops, it would show you the behavior

You can also do following -> fw monitor -e "accept host(10.50.10.50) and icmp;"

Hope those help.

Andy

0 Kudos
Chris_Atkinson
Employee Employee
Employee

Whilst I agree with @Timothy_Hall

Can you also confirm the JHF/Jumbo used with these gateways and do they use proxy-arp?

 

CCSM R77/R80/ELITE
0 Kudos

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

Upcoming Events

    CheckMates Events