This website uses Cookies. Click Accept to agree to our website's cookie use as described in our Privacy Policy. Click Preferences to customize your cookie settings.
Accept
Reject
Preferences
ABOUT CHECKMATES & FAQ
Create a Post
Help
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

Are you a member of CheckMates?

×
Sign in with your Check Point UserCenter/PartnerMap account to access more great content and get a chance to win some Apple AirPods! If you don't have an account, create one now for free!
Jon_AK
Contributor
‎2023-05-11 05:52 AM
Jump to solution

Correct Configuration Of Port Forwarding

Good morning.  Since installing our 1575 & creating a server object to forward http requests to, all has been good up until about 2 weeks ago.  Our website runs under Server 2019 w/IIS 10 & all of a sudden it stopped answering the call of duty.  I have since been working to correct this but just ran out of things to look for.  The monitoring screen of the appliance shows what appears to be port 80 being forwarded to the server & Wireshark confirms that the packets are reaching the server.  I want to begin the search again starting at the entry point to our network & want to ensure that my settings for port forwarding are correct.  I have attached a PDF depicting the settings I created in the appliance.  If you have a moment, please take a peek & see if they are correct.

Preview file
567 KB
0 Kudos
1 Solution

Accepted Solutions
PhoneBoy
Admin
Admin
‎2023-05-11 05:22 PM
In response to Jon_AK
Jump to solution

No, this is precisely the use case for a Server object.
Recommend a TAC case: https://help.checkpoint.com

View solution in original post

0 Kudos
11 Replies
G_W_Albrecht
Legend
Legend
‎2023-05-11 06:12 AM
Jump to solution

They look correct - hide behind GW and port 80 / 443. What was the last change before it ceased to work ? What can be found in the Webserver logs, compared to the time all still worked ?

CCSE CCTE CCSM SMB Specialist
0 Kudos
Jon_AK
Contributor
‎2023-05-11 06:34 AM
In response to G_W_Albrecht
Jump to solution

The webserver logs are all the same, they only show successful activity.  There is no indicator in the server event viewer logs of any failures.  The IIS website has a couple rules in the URL Rewrite module, one that creates a reverse proxy & another that redirects from http to https.  The website is part of a ERP & so the local LAN accesses it via the same www address & that part of it works without issue.  With the local LAN connection, the 1575 activity clearly shows the incoming http request, going back out & then coming back in as a https request.  I seriously do not believe the malfunction is with the appliance but either with IIS or the ERP that houses the website. There are no logs to view within the ERP but, it seems to function just fine within the local LAN.

0 Kudos
Chris_Atkinson
Employee Employee
Employee
‎2023-05-11 06:48 AM
In response to Jon_AK
Jump to solution

Was remote access VPN recently enabled on the appliance?

If yes please search the device advanced settings for: "reserve port 443"

 

CCSM R77/R80/ELITE
0 Kudos
Jon_AK
Contributor
‎2023-05-11 07:02 AM
In response to Chris_Atkinson
Jump to solution

No, I have not ventured that far with the appliance but, it is one thing that will be turned on at some point.

0 Kudos
G_W_Albrecht
Legend
Legend
‎2023-05-11 08:04 AM
In response to Jon_AK
Jump to solution

I would involve CP TAC - working for a time, then not working without any changes is strange at least...

CCSE CCTE CCSM SMB Specialist
0 Kudos
PhoneBoy
Admin
Admin
‎2023-05-11 12:33 PM
Jump to solution

How precisely is the Port Forwarding configured?
If the IP involved is the WAN IP of the gateway, you need to use a Server object (not the NAT rulebase) to do this.

0 Kudos
Jon_AK
Contributor
‎2023-05-11 02:07 PM
In response to PhoneBoy
Jump to solution

I did create it as a server object based upon what I read here in previous topics dealing with port forwarding.  The IP address I set is the internal IP address of the server.  Should this have been created using a NAT rule instead?  It sounded to me that based upon the incoming port by the caller, if it matched 80 or 443, the 1575 would port forward the call automatically.  It has been working like this for a while.  Certainly a lot to understand the operational characteristics of this 1575 that I keep trying to squeeze in among everything else.

0 Kudos
PhoneBoy
Admin
Admin
‎2023-05-11 05:22 PM
In response to Jon_AK
Jump to solution

No, this is precisely the use case for a Server object.
Recommend a TAC case: https://help.checkpoint.com

0 Kudos
Jon_AK
Contributor
‎2023-05-16 03:26 PM
In response to PhoneBoy
Jump to solution

Have an update on this.  Spent almost 2 hours with a CP tech today.  The issue is still under investigation but after reviewing the logs with him, the 1575 appliance is forwarding the incoming port 80 HTTP requests to the web server but, it is forwarding them on a random TCP port.  The IIS website is bound to port 80 & 443 so, I (we) are assuming that the port forward will not be answered by IIS due to it not being on the correct port.  Kind of befudding....

0 Kudos
PhoneBoy
Admin
Admin
‎2023-05-16 03:35 PM
In response to Jon_AK
Jump to solution

It definitely should not forward to a random TCP port.
Sounds like a bug.

0 Kudos
Jon_AK
Contributor
‎2023-05-16 05:23 PM
In response to PhoneBoy
Jump to solution

So, am I correct in stating that within the CP server document in Access Policy settings, when the server is configured as a Web Server with ports 80 & 443 assigned, when the appliance receives a call on port 80, the appliance is supposed to forward that call to the web server on the same port?  As it is now, it comes in on port 80, gets forwarded to the server but it gets sent to the server on some other random port number.

0 Kudos

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

View All ≫
Upcoming Events

    CheckMates Events