This website uses Cookies. Click Accept to agree to our website's cookie use as described in our Privacy Policy. Click Preferences to customize your cookie settings.
Accept
Reject
Preferences
ABOUT CHECKMATES CYBER SECURITY COMMUNITY & FAQ
Create a Post
Help
cancel
Turn on suggestions
Showing results for 
Search instead for 
Did you mean: 

Are you a member of CheckMates?

×
Sign in with your Check Point UserCenter/PartnerMap account to access more great content and get a chance to win some Apple AirPods! If you don't have an account, create one now for free!
JDCasCruz
Contributor
‎2024-11-29 06:05 AM

Quantum Spark is forwarding traffic to eth0 interface

Hello team,

I have recently been checking some traffic on my Quantum Spark (SMB) #, then I noticed that the traffic comes in on the WAN interface, then it is forwarded to the LAN interface, but then it seems to be forwarded again, but to the eth0 interfa
When the traffic is outgoing, this behavior is not evident. I attach a screenshot where you can see the above.
Why is the traffic being forwarded to the eth0 interface, is this the expected behavior? and finally, what are the eth0 and eth1 interfaces used for?
Please help me to understand this behavior.

Regards.

traffic_QS1800.png
Preview file
33 KB
0 Kudos
14 Replies
AkosBakos
Mentor Mentor
Mentor
‎2024-11-29 06:29 AM

Hi @JDCasCruz 

fw monitor shows tha same?

Try this: fw monitor -F "172.16.27.102,0,0,0,0"

Do you see the "plus" packet on eth0?

Ákos

----------------
\m/_(>_<)_\m/
JDCasCruz
Contributor
‎2024-11-29 07:54 AM
In response to AkosBakos

Hello @AkosBakos ,
When I use fw monitor it seems that the traffic goes from the WAN to the LAN, as you can see in the picture. But there is a lot of traffic when I check ifconfig or cpview, which is a bit strange.

Regards.

traffic_monitor.png
Preview file
26 KB
ifconfig_eth0.png
Preview file
17 KB
0 Kudos
AkosBakos
Mentor Mentor
Mentor
‎2024-11-29 11:06 AM
In response to JDCasCruz

Yes, but the offical packet capture tool is fw monitor

Maybe, the others are misleading in this scenario (because of the traffic is accelerated etc...) Unfortunately I don't have a SPARk appliance yet, but I am really curious now.

Otherwise which port is the eth0 on a Spark appliance? The ports are named like this LAN1-8, MGMT SYNC, aren't they?

But wait: the LAN7 and eth0 have the same MAC!

mac.png

...and the fw monitor shows the "normal" packet flow.

The SPARK experts will answer it soon. @G_W_Albrecht ?

Akos

----------------
\m/_(>_<)_\m/
0 Kudos
the_rock
Legend
Legend
‎2024-11-29 11:42 AM
In response to AkosBakos

I noticed that as well when I looked at it. I tagged Gunther, lets see if he can help 🙂

Andy

@G_W_Albrecht 

0 Kudos
Chris_Atkinson
Employee Employee
Employee
‎2024-11-29 02:16 PM
In response to AkosBakos

sk166552 explains the mac-address and likely the other interface reference to an extent.

"All LAN ports/switches share the same MAC address as they are connected via one internal port to the CPU."

CCSM R77/R80/ELITE
Chris_Atkinson
Employee Employee
Employee
‎2024-11-29 06:40 AM

Could you share the firmware version/build used with this appliance so we can check it further.

Is this a cluster or do you have any bridge configured?

CCSM R77/R80/ELITE
JDCasCruz
Contributor
‎2024-11-29 07:45 AM
In response to Chris_Atkinson

This is a cluster XL, actually is running R81.10.10 945 and it is centrally managed.
There is nothing configured in bridge mode.

Thanks for checking @Chris_Atkinson 

the_rock
Legend
Legend
‎2024-11-29 07:46 AM

I would do what @AkosBakos suggested as well.

0 Kudos
PhoneBoy
Admin
Admin
‎2024-12-02 02:33 PM

I've never seen an explanation for this, but I assume it has to do with the fact LANx ports are switch ports that can be remapped.
eth0 is likely the "real" NIC with a single port.

As this has been the case for as long as I remember, my assumption is that this is expected behavior.

0 Kudos
JDCasCruz
Contributor
‎2024-12-03 08:04 AM
In response to PhoneBoy

I “understand” the idea that eth0 is the internal interface, then I think all traffic should be forwarded to that interface, but look at the image below, I'm doing a tcpdump capture, but now our network traffic has a VLAN tag, here I can't see the traffic on eth0, what's going on here?

And I have another question, what is the function of eth1, and how to use SND cores if all the traffic goes through a single interface?
Thanks for your help. @Chris_Atkinson 

traffic_monitor_with_tag.png
Preview file
65 KB
0 Kudos
PhoneBoy
Admin
Admin
‎2024-12-03 01:47 PM
In response to JDCasCruz

Like I said, I have not seen any explanation of what these interfaces are actually used for.
Perhaps only certain traffic is forwarded to eth0, but don't know the specifics.

The LANx interfaces are "real" insofar as they have a specific driver loaded per ethtool and are listed in fw ctl iflist / fwaccel if.
The ethX interfaces use a different driver from the LANx interfaces and aren't listed in either the firewall or SecureXL.

0 Kudos
JDCasCruz
Contributor
‎2024-12-19 08:39 AM
In response to PhoneBoy

Hello @PhoneBoy ,

My question about eth0 and eth1 started because I am noticing some latency in the network when an SND core starts to have a high load. I increased the number of SND cores (now 3) but I still see that one SDN has the highest load. So I'm thinking, is there any way to use eth1 and do you think that using only eth0 generates the unbalanced utilization behavior of the SND cores?

Regards.

0 Kudos
AkosBakos
Mentor Mentor
Mentor
‎2024-12-19 08:44 AM
In response to JDCasCruz

@JDCasCruz 

If the SNDs have high load, maybe you are facing performace issues.

What kind of hardwer is this cluster? And what is the overall throughput? How many cores do you have?

Akos

----------------
\m/_(>_<)_\m/
0 Kudos
JDCasCruz
Contributor
‎2024-12-19 09:11 AM
In response to AkosBakos

Hi @AkosBakos ,

It is a High Availability ClusterXL consisting of 2 QS 1800. The software is R81.10.10 945 and is centrally managed.

The QS 1800 has 12 cores, we are using 9 CoreXL and 3 as SND. Normally the throughput is about 1 Gbps, but as in all networks there are peaks that generate noticeable latency for users.

Regards.

0 Kudos

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

View All ≫
Upcoming Events

    Sort by:
    CheckMates Events
    Top