This website uses Cookies. Click Accept to agree to our website's cookie use as described in our Privacy Policy. Click Preferences to customize your cookie settings.
Accept
Reject
Preferences
ABOUT CHECKMATES CYBER SECURITY COMMUNITY & FAQ
Create a Post
Help
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

Are you a member of CheckMates?

×
Sign in with your Check Point UserCenter/PartnerMap account to access more great content and get a chance to win some Apple AirPods! If you don't have an account, create one now for free!
Moudar
MVP Silver
MVP Silver
‎2024-05-06 07:16 AM

Can not surf to a website

Hi

when trying to surf to a specific website i get this error "ERR_EMPTY_RESPONSE" on all browsers.

When I open the same website from a private PC (no firewall) then it works with no problem.

 

All logs are "Accept" but still getting "ERR_EMPTY_RESPONSE" on browsers

 

What should I troubleshoot when seeing this: ERR_EMPTY_RESPONSE  ?

 

0 Kudos
49 Replies
the_rock
MVP Gold
MVP Gold
‎2024-05-06 07:34 AM

Can you share what site? Is there ssl inspection involved?

Andy

0 Kudos
Moudar
MVP Silver
MVP Silver
‎2024-05-06 07:44 AM
In response to the_rock

matematikxyz.com

matematikabg.se

HTTPS is not used

0 Kudos
the_rock
MVP Gold
MVP Gold
‎2024-05-06 07:54 AM
In response to Moudar

Just tried both in lab with ssl inspection and without and worked fine. Can you confirm what this is set to now? Not sure if you changed it or not...

Andy

 

Screenshot_1.png

0 Kudos
Moudar
MVP Silver
MVP Silver
‎2024-05-06 08:03 AM
In response to the_rock

it is "Allow all requests" in my case

0 Kudos
the_rock
MVP Gold
MVP Gold
‎2024-05-06 08:07 AM
In response to Moudar

K, fair enough. Did you make custom category to allow the sites?

Andy

0 Kudos
Moudar
MVP Silver
MVP Silver
‎2024-05-06 08:17 AM
In response to the_rock

I did not tested to add it there!

Should I add it as an IP address or as FQDN like *.matematikxyz.com ?

0 Kudos
the_rock
MVP Gold
MVP Gold
‎2024-05-06 08:28 AM
In response to Moudar

I would do both.

Andy

0 Kudos
Moudar
MVP Silver
MVP Silver
‎2024-05-06 08:34 AM
In response to the_rock

I did both and did not get any hit on the rule!

i have also tested \/matematikxyz\.com and also no hit on the rule!

0 Kudos
the_rock
MVP Gold
MVP Gold
‎2024-05-06 08:39 AM
In response to Moudar

I would add *matematikxyz* and 208.86.159.100

Andy

0 Kudos
Moudar
MVP Silver
MVP Silver
‎2024-05-06 09:05 AM
In response to the_rock

tried both and not get a hit!

0 Kudos
the_rock
MVP Gold
MVP Gold
‎2024-05-06 09:14 AM
In response to Moudar

If you filter logs for that destination IP, just do nslookup, make sure it resolved to same IP, what do you see?

Andy

0 Kudos
the_rock
MVP Gold
MVP Gold
‎2024-05-06 08:54 AM
In response to Moudar

One thing I found super useful with these issues is press F12 when going to the site, so it gives you developer browser tool, it may show you if its trying to reach something else as well.

Andy

0 Kudos
Moudar
MVP Silver
MVP Silver
‎2024-05-06 09:08 AM
In response to the_rock

cannot find weird things there! 

0 Kudos
PhoneBoy
Admin
Admin
‎2024-05-06 10:40 AM

Let's start with basic information like: Version and JHF level of gateway and maangement.
The exact rules used to allow the traffic (with custom service definitions shown).
What shows in the access logs when you attempt to access these sites (full log card, not just the line in the logs list).

Please provide screenshots where appropriate and redact sensitive details.

0 Kudos
Moudar
MVP Silver
MVP Silver
‎2024-05-06 10:45 AM
In response to PhoneBoy

I found this interesting thing on the log:

terminated.JPG

 

Product version Check Point Gaia R81.20
OS build 631
OS kernel version 3.10.0-1160.15.2cpx86_64
OS edition 64-bit

0 Kudos
the_rock
MVP Gold
MVP Gold
‎2024-05-06 10:48 AM
In response to Moudar

That sk is essentially long way of telling you 3 way handshake is not completing...so doing fw monitor with -F flag would probably help.

Andy

0 Kudos
Moudar
MVP Silver
MVP Silver
‎2024-05-06 10:51 AM
In response to the_rock

terminated1.JPG

If the Access Rulebase does not reach a final match on accept, a log appears with a new unique rule specific for this case 'CPNotEnoughDataForRuleMatch' and accept action. !

0 Kudos
Moudar
MVP Silver
MVP Silver
‎2024-05-06 10:51 AM
In response to the_rock

how would the exact command look like? 

0 Kudos
the_rock
MVP Gold
MVP Gold
‎2024-05-06 10:54 AM
In response to Moudar

Lets assume your PC ip is 10.10.10.10

Idea is this fw monitor -F "srcip,srcport,dstip,dstport,protocol" -F "other way around"

example:

fw monitor -F "10.10.10.10,0,208.86.159.100,443,0" -F "208.86.159.100,0,10.10.10.10,443,0"

As you can see, I left src port and protocol as 0

Just replace 10.10.10.10 with your actual internal IP

Andy

0 Kudos
Moudar
MVP Silver
MVP Silver
‎2024-05-06 11:01 AM
In response to the_rock 

[vs_0][ppak_0] bond0.586:i[44]: 10.32.0.7 -> 208.86.159.100 (TCP) len=52 id=29850
TCP: 64545 -> 443 .S.... seq=3effd66b ack=00000000
[vs_0][fw_3] bond0.586:i[44]: 10.32.0.7 -> 208.86.159.100 (TCP) len=52 id=29850
TCP: 64545 -> 443 .S.... seq=3effd66b ack=00000000
[vs_0][ppak_0] bond0.586:i[44]: 10.32.0.7 -> 208.86.159.100 (TCP) len=52 id=29851
TCP: 64546 -> 443 .S.... seq=bc9f936c ack=00000000
[vs_0][fw_4] bond0.586:i[44]: 10.32.0.7 -> 208.86.159.100 (TCP) len=52 id=29851
TCP: 64546 -> 443 .S.... seq=bc9f936c ack=00000000
[vs_0][ppak_0] bond0.586:i[44]: 10.32.0.7 -> 208.86.159.100 (TCP) len=52 id=29850
TCP: 64545 -> 443 .S.... seq=3effd66b ack=00000000
[vs_0][fw_3] bond0.586:I[44]: 10.32.0.7 -> 208.86.159.100 (TCP) len=52 id=29850
TCP: 64545 -> 443 .S.... seq=3effd66b ack=00000000
[vs_0][fw_3] eth1-01:o[44]: 10.32.0.7 -> 208.86.159.100 (TCP) len=52 id=29850
TCP: 64545 -> 443 .S.... seq=3effd66b ack=00000000
[vs_0][fw_3] eth1-01:O[44]: x.x.x.x -> 208.86.159.100 (TCP) len=52 id=29850
TCP: 10400 -> 443 .S.... seq=3effd66b ack=00000000
[vs_0][ppak_0] bond0.586:i[44]: 10.32.0.7 -> 208.86.159.100 (TCP) len=52 id=29851
TCP: 64546 -> 443 .S.... seq=bc9f936c ack=00000000
[vs_0][fw_4] bond0.586:I[44]: 10.32.0.7 -> 208.86.159.100 (TCP) len=52 id=29851
TCP: 64546 -> 443 .S.... seq=bc9f936c ack=00000000
[vs_0][fw_4] eth1-01:o[44]: 10.32.0.7 -> 208.86.159.100 (TCP) len=52 id=29851
TCP: 64546 -> 443 .S.... seq=bc9f936c ack=00000000
[vs_0][fw_4] eth1-01:O[44]: x.x.x.x -> 208.86.159.100 (TCP) len=52 id=29851
TCP: 10401 -> 443 .S.... seq=bc9f936c ack=00000000
[vs_0][ppak_0] bond0.586:i[44]: 10.32.0.7 -> 208.86.159.100 (TCP) len=52 id=29852
TCP: 64547 -> 443 .S.... seq=50034dd9 ack=00000000
[vs_0][fw_2] bond0.586:i[44]: 10.32.0.7 -> 208.86.159.100 (TCP) len=52 id=29852
TCP: 64547 -> 443 .S.... seq=50034dd9 ack=00000000
[vs_0][ppak_0] bond0.586:i[44]: 10.32.0.7 -> 208.86.159.100 (TCP) len=52 id=29852
TCP: 64547 -> 443 .S.... seq=50034dd9 ack=00000000
[vs_0][fw_2] bond0.586:I[44]: 10.32.0.7 -> 208.86.159.100 (TCP) len=52 id=29852
TCP: 64547 -> 443 .S.... seq=50034dd9 ack=00000000
[vs_0][fw_2] eth1-01:o[44]: 10.32.0.7 -> 208.86.159.100 (TCP) len=52 id=29852
TCP: 64547 -> 443 .S.... seq=50034dd9 ack=00000000
[vs_0][fw_2] eth1-01:O[44]: x.x.x.x -> 208.86.159.100 (TCP) len=52 id=29852
TCP: 10402 -> 443 .S.... seq=50034dd9 ack=00000000
[vs_0][ppak_0] bond0.586:i[44]: 10.32.0.7 -> 208.86.159.100 (TCP) len=52 id=29853
TCP: 64545 -> 443 .S.... seq=3effd66b ack=00000000
[vs_0][ppak_0] bond0.586:i[44]: 10.32.0.7 -> 208.86.159.100 (TCP) len=52 id=29854
TCP: 64546 -> 443 .S.... seq=bc9f936c ack=00000000
[vs_0][fw_4] bond0.586:I[44]: 10.32.0.7 -> 208.86.159.100 (TCP) len=52 id=29854
TCP: 64546 -> 443 .S.... seq=bc9f936c ack=00000000
[vs_0][fw_4] eth1-01:o[44]: 10.32.0.7 -> 208.86.159.100 (TCP) len=52 id=29854
TCP: 64546 -> 443 .S.... seq=bc9f936c ack=00000000
[vs_0][fw_4] eth1-01:O[44]: x.x.x.x -> 208.86.159.100 (TCP) len=52 id=29854
TCP: 10401 -> 443 .S.... seq=bc9f936c ack=00000000
[vs_0][fw_3] bond0.586:I[44]: 10.32.0.7 -> 208.86.159.100 (TCP) len=52 id=29853
TCP: 64545 -> 443 .S.... seq=3effd66b ack=00000000
[vs_0][fw_3] eth1-01:o[44]: 10.32.0.7 -> 208.86.159.100 (TCP) len=52 id=29853
TCP: 64545 -> 443 .S.... seq=3effd66b ack=00000000
[vs_0][fw_3] eth1-01:O[44]: x.x.x.x -> 208.86.159.100 (TCP) len=52 id=29853
TCP: 10400 -> 443 .S.... seq=3effd66b ack=00000000
[vs_0][ppak_0] bond0.586:i[44]: 10.32.0.7 -> 208.86.159.100 (TCP) len=52 id=29860
TCP: 64547 -> 443 .S.... seq=50034dd9 ack=00000000
[vs_0][fw_2] bond0.586:I[44]: 10.32.0.7 -> 208.86.159.100 (TCP) len=52 id=29860
TCP: 64547 -> 443 .S.... seq=50034dd9 ack=00000000
[vs_0][fw_2] eth1-01:o[44]: 10.32.0.7 -> 208.86.159.100 (TCP) len=52 id=29860
TCP: 64547 -> 443 .S.... seq=50034dd9 ack=00000000
[vs_0][fw_2] eth1-01:O[44]: x.x.x.x -> 208.86.159.100 (TCP) len=52 id=29860
TCP: 10402 -> 443 .S.... seq=50034dd9 ack=00000000
[vs_0][ppak_0] bond0.586:i[44]: 10.32.0.7 -> 208.86.159.100 (TCP) len=52 id=29862
TCP: 64546 -> 443 .S.... seq=bc9f936c ack=00000000
[vs_0][ppak_0] bond0.586:i[44]: 10.32.0.7 -> 208.86.159.100 (TCP) len=52 id=29861
TCP: 64545 -> 443 .S.... seq=3effd66b ack=00000000
[vs_0][fw_4] bond0.586:I[44]: 10.32.0.7 -> 208.86.159.100 (TCP) len=52 id=29862
TCP: 64546 -> 443 .S.... seq=bc9f936c ack=00000000
[vs_0][fw_4] eth1-01:o[44]: 10.32.0.7 -> 208.86.159.100 (TCP) len=52 id=29862
TCP: 64546 -> 443 .S.... seq=bc9f936c ack=00000000
[vs_0][fw_4] eth1-01:O[44]: x.x.x.x -> 208.86.159.100 (TCP) len=52 id=29862
TCP: 10401 -> 443 .S.... seq=bc9f936c ack=00000000
[vs_0][fw_3] bond0.586:I[44]: 10.32.0.7 -> 208.86.159.100 (TCP) len=52 id=29861
TCP: 64545 -> 443 .S.... seq=3effd66b ack=00000000
[vs_0][fw_3] eth1-01:o[44]: 10.32.0.7 -> 208.86.159.100 (TCP) len=52 id=29861
TCP: 64545 -> 443 .S.... seq=3effd66b ack=00000000
[vs_0][fw_3] eth1-01:O[44]: x.x.x.x -> 208.86.159.100 (TCP) len=52 id=29861
TCP: 10400 -> 443 .S.... seq=3effd66b ack=00000000
[vs_0][ppak_0] bond0.586:i[44]: 10.32.0.7 -> 208.86.159.100 (TCP) len=52 id=29863
TCP: 64547 -> 443 .S.... seq=50034dd9 ack=00000000
[vs_0][fw_2] bond0.586:I[44]: 10.32.0.7 -> 208.86.159.100 (TCP) len=52 id=29863
TCP: 64547 -> 443 .S.... seq=50034dd9 ack=00000000
[vs_0][fw_2] eth1-01:o[44]: 10.32.0.7 -> 208.86.159.100 (TCP) len=52 id=29863
TCP: 64547 -> 443 .S.... seq=50034dd9 ack=00000000
[vs_0][fw_2] eth1-01:O[44]: x.x.x.x -> 208.86.159.100 (TCP) len=52 id=29863
TCP: 10402 -> 443 .S.... seq=50034dd9 ack=00000000

where x.x.x.x my external IP address

0 Kudos
the_rock
MVP Gold
MVP Gold
‎2024-05-06 11:06 AM
In response to Moudar

Can you run zdebug for that IP?

fw ctl zdebug + drop | grep 208.86.159.100

Seems nothing comes back at all.

Andy

0 Kudos
Moudar
MVP Silver
MVP Silver
‎2024-05-06 11:16 AM
In response to the_rock

how to stop that command?

0 Kudos
the_rock
MVP Gold
MVP Gold
‎2024-05-06 11:16 AM
In response to Moudar

ctrl+C

0 Kudos
Moudar
MVP Silver
MVP Silver
‎2024-05-06 11:19 AM
In response to the_rock

I ran it and it does not show anything?!

0 Kudos
the_rock
MVP Gold
MVP Gold
‎2024-05-06 11:22 AM
In response to Moudar

See what below gives you.

Andy

ip r g 208.86.159.100

fw monitor -e "accept host(208.86.159.100);"

Run them while testing.

If still no good indication, I would work with TAC to see whay this fails. Its entirely possible it might not even be fw issue at all.

 

0 Kudos
Moudar
MVP Silver
MVP Silver
‎2024-05-06 11:26 AM
In response to the_rock 

fw monitor -e "accept host(208.86.159.100);"
PPAK 0: Get before set operation succeeded of fwmonitor_kiss_enable
PPAK 0: Get before set operation succeeded of simple_debug_filter_off
PPAK 0: Get before set operation succeeded of kiss_debug_force_kdprintf_enable
PPAK 0: Get before set operation succeeded of fwmonitorfreebufs
**************************************************************  NOTE  **************************************************************
*** Using "-e" filter will not monitor accelerated traffic. To monitor and filter accelerated traffic please use the "-F" filter ***
************************************************************************************************************************************
 FW monitor will record only ip & transport layers in a packet
 For capturing the whole packet please do -w
PPAK 0: Get before set operation succeeded of fwmonitor_ppak_all_position
 monitor: getting filter (from command line)
 monitor: compiling
monitorfilter:
Compiled OK.
 monitor: loading
 monitor: monitoring (control-C to stop)
PPAK 0: Get before set operation succeeded of fwmonitormaxpacket
PPAK 0: Get before set operation succeeded of fwmonitormask
PPAK 0: Get before set operation succeeded of fwmonitorallocbufs
PPAK 0: Get before set operation succeeded of printuuid
[vs_0][fw_2] eth1-01:o[44]: 10.8.0.48 -> 208.86.159.100 (TCP) len=52 id=45969
TCP: 63904 -> 80 .S.... seq=8be1062c ack=00000000
[vs_0][fw_2] eth1-01:O[44]: x.x.x.x -> 208.86.159.100 (TCP) len=52 id=45969
TCP: 10531 -> 80 .S.... seq=8be1062c ack=00000000
[vs_0][fw_3] eth1-01:o[44]: 10.8.0.48 -> 208.86.159.100 (TCP) len=52 id=24958
TCP: 63905 -> 80 .S.... seq=5fcbd658 ack=00000000
[vs_0][fw_3] eth1-01:O[44]: x.x.x.x -> 208.86.159.100 (TCP) len=52 id=24958
TCP: 10532 -> 80 .S.... seq=5fcbd658 ack=00000000
[vs_0][fw_2] bond0.586:i[40]: 10.8.0.48 -> 208.86.159.100 (TCP) len=40 id=5111
TCP: 63904 -> 80 F...A. seq=8ba1080b ack=521c5139
[vs_0][fw_2] bond0.586:I[40]: 10.8.0.48 -> 208.86.159.100 (TCP) len=40 id=5111
TCP: 63904 -> 80 F...A. seq=8ba1080b ack=521c5139
[vs_0][fw_2] bond0.586:o[40]: 208.86.159.100 -> 10.8.0.48 (TCP) len=40 id=15623
TCP: 80 -> 63904 F...A. seq=521c5139 ack=8ba1080c
[vs_0][fw_2] bond0.586:O[40]: 208.86.159.100 -> 10.8.0.48 (TCP) len=40 id=15623
TCP: 80 -> 63904 F...A. seq=521c5139 ack=8ba1080c
[vs_0][fw_2] bond0.586:i[40]: 10.8.0.48 -> 208.86.159.100 (TCP) len=40 id=5112
TCP: 63904 -> 80 ....A. seq=8ba1080c ack=521c513a
[vs_0][fw_2] bond0.586:I[40]: 10.8.0.48 -> 208.86.159.100 (TCP) len=40 id=5112
TCP: 63904 -> 80 ....A. seq=8ba1080c ack=521c513a
[vs_0][fw_3] bond0.586:i[44]: 10.8.0.48 -> 208.86.159.100 (TCP) len=518 id=5113
TCP: 63905 -> 80 ...PA. seq=5f8bd659 ack=9a65b51e
[vs_0][fw_3] bond0.586:I[44]: 10.8.0.48 -> 208.86.159.100 (TCP) len=518 id=5113
TCP: 63905 -> 80 ...PA. seq=5f8bd659 ack=9a65b51e
[vs_0][fw_4] bond0.586:i[44]: 10.8.0.48 -> 208.86.159.100 (TCP) len=52 id=5114
TCP: 63911 -> 80 .S.... seq=40c42864 ack=00000000
[vs_0][fw_4] bond0.586:I[44]: 10.8.0.48 -> 208.86.159.100 (TCP) len=52 id=5114
TCP: 63911 -> 80 .S.... seq=40c42864 ack=00000000
[vs_0][fw_4] bond0.586:o[44]: 208.86.159.100 -> 10.8.0.48 (TCP) len=52 id=58482
TCP: 80 -> 63911 .S..A. seq=801041c3 ack=40c42865
[vs_0][fw_4] bond0.586:O[44]: 208.86.159.100 -> 10.8.0.48 (TCP) len=52 id=58482
TCP: 80 -> 63911 .S..A. seq=801041c3 ack=40c42865
[vs_0][fw_4] bond0.586:i[40]: 10.8.0.48 -> 208.86.159.100 (TCP) len=40 id=5115
TCP: 63911 -> 80 ....A. seq=40c42865 ack=801041c4
[vs_0][fw_4] bond0.586:I[40]: 10.8.0.48 -> 208.86.159.100 (TCP) len=40 id=5115
TCP: 63911 -> 80 ....A. seq=40c42865 ack=801041c4
[vs_0][fw_4] eth1-01:o[44]: 10.8.0.48 -> 208.86.159.100 (TCP) len=52 id=4771
TCP: 63911 -> 80 .S.... seq=41042864 ack=00000000
[vs_0][fw_4] eth1-01:O[44]: x.x.x.x -> 208.86.159.100 (TCP) len=52 id=4771
TCP: 10533 -> 80 .S.... seq=41042864 ack=00000000
[vs_0][fw_4] bond0.586:o[40]: 208.86.159.100 -> 10.8.0.48 (TCP) len=40 id=38379
TCP: 80 -> 63911 ....A. seq=801041c4 ack=40c42865
[vs_0][fw_4] bond0.586:O[40]: 208.86.159.100 -> 10.8.0.48 (TCP) len=40 id=38379
TCP: 80 -> 63911 ....A. seq=801041c4 ack=40c42865
[vs_0][fw_3] bond0.586:o[40]: 208.86.159.100 -> 10.8.0.48 (TCP) len=40 id=35826
TCP: 80 -> 63905 ....A. seq=9a65b51e ack=5f8bd837
[vs_0][fw_3] bond0.586:O[40]: 208.86.159.100 -> 10.8.0.48 (TCP) len=40 id=35826
TCP: 80 -> 63905 ....A. seq=9a65b51e ack=5f8bd837
[vs_0][fw_4] eth1-01:o[44]: 10.8.0.48 -> 208.86.159.100 (TCP) len=52 id=19659
TCP: 63911 -> 80 .S.... seq=41042864 ack=00000000
[vs_0][fw_4] eth1-01:O[44]: x.x.x.x -> 208.86.159.100 (TCP) len=52 id=19659
TCP: 10533 -> 80 .S.... seq=41042864 ack=00000000
[vs_0][fw_4] eth1-01:o[44]: 10.8.0.48 -> 208.86.159.100 (TCP) len=52 id=55643
TCP: 63911 -> 80 .S.... seq=41042864 ack=00000000
[vs_0][fw_4] eth1-01:O[44]: x.x.x.x -> 208.86.159.100 (TCP) len=52 id=55643
TCP: 10533 -> 80 .S.... seq=41042864 ack=00000000
[vs_0][fw_1] bond0.586:i[44]: 10.32.0.7 -> 208.86.159.100 (TCP) len=52 id=29990
TCP: 60791 -> 80 .S.... seq=a69badea ack=00000000
[vs_0][fw_2] bond0.586:i[44]: 10.32.0.7 -> 208.86.159.100 (TCP) len=52 id=29991
TCP: 60792 -> 80 .S.... seq=1bf50b19 ack=00000000
[vs_0][fw_2] eth1-01:o[40]: 10.8.0.48 -> 208.86.159.100 (TCP) len=40 id=17949
TCP: 63904 -> 80 ..R... seq=8be1062c ack=00000000
[vs_0][fw_2] eth1-01:O[40]: x.x.x.x -> 208.86.159.100 (TCP) len=40 id=17949
TCP: 10531 -> 80 ..R... seq=8be1062c ack=00000000
[vs_0][fw_3] bond0.586:o[40]: 208.86.159.100 -> 10.8.0.48 (TCP) len=40 id=13781
TCP: 80 -> 63905 F...A. seq=9a65b51e ack=5f8bd837
[vs_0][fw_3] bond0.586:O[40]: 208.86.159.100 -> 10.8.0.48 (TCP) len=40 id=13781
TCP: 80 -> 63905 F...A. seq=9a65b51e ack=5f8bd837
[vs_0][fw_3] eth1-01:o[40]: 10.8.0.48 -> 208.86.159.100 (TCP) len=40 id=5904
TCP: 63905 -> 80 ..R... seq=5fcbd658 ack=00000000
[vs_0][fw_3] eth1-01:O[40]: x.x.x.x -> 208.86.159.100 (TCP) len=40 id=5904
TCP: 10532 -> 80 ..R... seq=5fcbd658 ack=00000000
[vs_0][fw_3] bond0.586:i[40]: 10.8.0.48 -> 208.86.159.100 (TCP) len=40 id=5116
TCP: 63905 -> 80 ....A. seq=5f8bd837 ack=9a65b51f
[vs_0][fw_3] bond0.586:I[40]: 10.8.0.48 -> 208.86.159.100 (TCP) len=40 id=5116
TCP: 63905 -> 80 ....A. seq=5f8bd837 ack=9a65b51f
[vs_0][fw_3] bond0.586:i[40]: 10.8.0.48 -> 208.86.159.100 (TCP) len=40 id=5117
TCP: 63905 -> 80 F...A. seq=5f8bd837 ack=9a65b51f
[vs_0][fw_3] bond0.586:I[40]: 10.8.0.48 -> 208.86.159.100 (TCP) len=40 id=5117
TCP: 63905 -> 80 F...A. seq=5f8bd837 ack=9a65b51f
[vs_0][fw_3] bond0.586:o[40]: 208.86.159.100 -> 10.8.0.48 (TCP) len=40 id=19925
TCP: 80 -> 63905 ....A. seq=9a65b51f ack=5f8bd838
[vs_0][fw_3] bond0.586:O[40]: 208.86.159.100 -> 10.8.0.48 (TCP) len=40 id=19925
TCP: 80 -> 63905 ....A. seq=9a65b51f ack=5f8bd838
[vs_0][fw_4] bond0.586:i[44]: 10.8.0.48 -> 208.86.159.100 (TCP) len=518 id=5118
TCP: 63911 -> 80 ...PA. seq=40c42865 ack=801041c4
[vs_0][fw_4] bond0.586:I[44]: 10.8.0.48 -> 208.86.159.100 (TCP) len=518 id=5118
TCP: 63911 -> 80 ...PA. seq=40c42865 ack=801041c4
[vs_0][fw_4] bond0.586:o[40]: 208.86.159.100 -> 10.8.0.48 (TCP) len=40 id=16547
TCP: 80 -> 63911 ....A. seq=801041c4 ack=40c42a43
[vs_0][fw_4] bond0.586:O[40]: 208.86.159.100 -> 10.8.0.48 (TCP) len=40 id=16547
TCP: 80 -> 63911 ....A. seq=801041c4 ack=40c42a43
[vs_0][fw_4] eth1-01:o[44]: 10.8.0.48 -> 208.86.159.100 (TCP) len=52 id=48507
TCP: 63911 -> 80 .S.... seq=41042864 ack=00000000
[vs_0][fw_4] eth1-01:O[44]: x.x.x.x -> 208.86.159.100 (TCP) len=52 id=48507
TCP: 10533 -> 80 .S.... seq=41042864 ack=00000000
[vs_0][fw_4] eth1-01:o[44]: 10.8.0.48 -> 208.86.159.100 (TCP) len=52 id=16296
TCP: 63911 -> 80 .S.... seq=41042864 ack=00000000
[vs_0][fw_4] eth1-01:O[44]: x.x.x.x -> 208.86.159.100 (TCP) len=52 id=16296
TCP: 10533 -> 80 .S.... seq=41042864 ack=00000000
0 Kudos
the_rock
MVP Gold
MVP Gold
‎2024-05-06 11:31 AM
In response to Moudar

Can you output it into a file and attach here?

just run -o /var/log/capture.out at the end of the first command I gave

Andy

0 Kudos
Moudar
MVP Silver
MVP Silver
‎2024-05-06 11:36 AM
In response to the_rock

ip r g 208.86.159.100 -o /var/log/capture.out
Error: inet prefix is expected rather than "-o".

0 Kudos
the_rock
MVP Gold
MVP Gold
‎2024-05-06 11:37 AM
In response to Moudar

Thats not what I meant, see below

fw monitor -e "accept host(208.86.159.100);" -o /var/log/capture.out

0 Kudos

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

View All ≫
Upcoming Events

    Sort by:
    CheckMates Events