cancel
Showing results for 
Search instead for 
Did you mean: 
Post a Question

Packet is dropped. I do not know why is reason.

Hi CP engineers !

Test environment

Version : MGMT(R80.20), FW(R80.10), Both not JHF

model : MGMT(Dell Openserver), FW(SG5x00)

I am very odd experience packet drop on CheckPoint firewall.

1. I made a rule to pass the packet.

2. I also made a manual NAT rule to translate the packet.

3. when I execute the command "fw ctl zdebug + drop, fw monitor -e" , saw the packet is dropped

Below it is that Things I've done. (Rule number is example)

1. When tested only with Manual NAT, the packet is dropped.

-> Manual NAT Rule 10

2. when I added the rule Automatic NAT and deleted Manual NAT, packet was passed.

-> Because of Automatic NAT Rule 20, no Manual NAT exist

3. when I added Manual NAT same with automatic NAT, packet was passed.

-> Only Manual NAT (NAT Rule 10), Automatic NAT (NAT Rule 20)

Packet is passed because of NAT Rule 10(Manual NAT)

when I added only Manual NAT, I think the action have to be running well. But if the automatic NAT does not exist, Manual NAT is not running and the packet is dropped because of No MATCH rule. I do not know why is reason.

I upload the file zdebug result and NAT table.

4 Replies

Re: Packet is dropped. I do not know why is reason.

try this capture, then you will see where its dropt
#fw monitor -e "(src=10.10.10.10) or (dst=10.10.10.10),accept;" -p all
if oyu whant to excam it in wireshark or some other you can add the line under to make the output to a file

-o /tmp/capture.cap

0 Kudos

Re: Packet is dropped. I do not know why is reason.

but drop reason are Roulebased drop - NO MATCH. So how does you firewall roule look like, are you using your internal IP adress or are you using your NAT adress?

BTW
If its not matching any roules... don't you have a cleanup roule? as far that i know its recomanded and bestpractice (or atleast it was, unsure if it changed in R80...)

0 Kudos
Admin
Admin

Re: Packet is dropped. I do not know why is reason.

A cleanup rule is still added in R80.x, though whether it is an "Accept" or "Drop" depends on how the layer is configured.

Further, if you do not have an explicit cleanup rule, you will see the "implicit" cleanup rule show up as a comment at the end of the rulebase with a note the traffic will NOT be logged.

0 Kudos

Re: Packet is dropped. I do not know why is reason.

Rule exists about the packet on the number 20.

I make a rule internal IP.