If you can get the capture file, please send it here. I can review it later.

Andy

I could not take the file out, but cat capture.out shows this weird text 

 cat capture.out
snoop            7   7   P    f9# 
icbond0.586 E  )=@  0Vd P^##ː<P
 O@       6   6   P    f9#  !Itbond0.586 E  (>@ m
 0Vd P^##ː<P
 O@       6   6   P    f9#  lo2bond0.586 E (@ RVd
 0 Pː<^#$P @@       6   6   P    f9#  tOhbond0.586 E (@ RVd
 0 Pː<^#$P @@       :   :   T    f9#         icbond0.586 E 4?@ m
 0Vd PI             :   :   T    f9# icbond0.586 E 4@@ m
 0Vd P             :   :   T    f9# Itbond0.586 E 4?@ m
 0Vd PI             :   :   T    f9#  o2bond0.586 E 4e@ PiVd
 0 P,׎Ì*       :   :   T    f9#  'Ohbond0.586 E 4e@ PiVd
 0 P,׎Ì*       6   6   P    f9#  icbond0.586 E  (A@ m
 0Vd PI,׏P       :   :   T    f9#  Itbond0.586 E 4@@ m
 0Vd P             6   6   P    f9#  Itbond0.586 E  (A@ m
 0Vd PI,׏P       :   :   T    f9# 
$o2bond0.586 E 4VX@ vVd
 0 P              :   :   T    f9# 
)o2eth1-01 f E 4@ o
 0Vd PI    "       :   :   T    f9# 
3Ohbond0.586 E 4VX@ vVd
Vd P              :   :   T    f9# 
:Oheth1-01 f E 4@ 4VPVd): PI    ad       6   6   P    f9# 
Co2bond0.586 E (@ 
Vd P,׏IP        6   6   P    f9# 
HOhbond0.586 E (@ 
 0 P,׏IP        :   :   T    f9# 
Oicbond0.586 E B@ k
 0Vd PI,׏Pؔ  GET      :   :   T    f9# 
hItbond0.586 E B@ k
 0Vd PI,׏Pؔ  GET      6   6   P    f9# 
icbond0.586 E  (C@ m
 0Vd PP
 7       6   6   P    f9# 
Itbond0.586 E  (C@ m
 0Vd PP
 7       :   :   T    f9# 
o2eth1-01 f E 4*@ i
 0Vd P-           :   :   T    f9# 
Oheth1-01 f E 4*@ .Vd); P-           6   6   P    f9# 
o2bond0.586 E (@ H Vd
 0 PP (       6   6   P    f9# 
Ohbond0.586 E (@ H Vd
 0 PP (       6   6   P    f9# ,o2bond0.586 E (@ iVd
 0 P,׏KP%       6   6   P    f9# ,Ohbond0.586 E (@ iVd
 0 P,׏KP%       :   :   T    f9#
o2eth1-01 f E 4q@ a]
 0Vd PI    "       :   :   T    f9#
Oheth1-01 f E 4q@ %PVd): PI    ad       :   :   T    f9#
o2eth1-01 f E 4@ W+
 0Vd P-           :   :   T    f9#
1Oheth1-01 f E 4@ Vd); P-           :   :   T    f9#
o2eth1-01 f E 4 @ 
9
 0Vd PI    "       :   :   T    f9#
Oheth1-01 f E 4 @ ůPVd): PI    ad       :   :   T    f9#
o2eth1-01 f E 4@ c
 0Vd P-           :   :   T    f9#
Oheth1-01 f E 4@ 'PVd); P-           :   :   T    f9#
o2eth1-01 f E 4y@ ?U
 0Vd PI    "       :   :   T    f9#
Oheth1-01 f E 4y@ PVd): PI    ad       :   :   T    f9#
ko2eth1-01 f E 4d @ 
 0Vd P-           :   :   T    f9#
Oheth1-01 f E 4d @ b%PVd); P-           :   :   T    f9
o2eth1-01 f E 4WS@ {
 0Vd PI    "       :   :   T    f9
Oheth1-01 f E 4WS@ nPVd): PI    ad       :   :   T    f9
o2eth1-01 f E 4;@ {
 0Vd P-           :   :   T    f9
Oheth1-01 f E 4;@ @
PVd); P-           :   :   T    f9$ icbond0.586 E 4D@ m
 0Vd&
EF      Kv       :   :   T    f9$ ^icbond0.586 E 4E@ m
 0Vd'
gM      ;       :   :   T    f9$ picbond0.586 E 4F@ m
|icbond0.586 E 4uU@ ~  :   :   T    f9$ 
  Vd} P3#    u       :   :   T    f9$ cwicbond0.586 E 4G@ m
 0Vd) P`y_      i#       :   :   T    f9$ eJItbond0.586 E 4G@ m
 0Vd) P`y_      i#       :   :   T    f9$ ero2bond0.586 E 4n@ `Vd
 0 P)S`y`H       :   :   T    f9$ e|Ohbond0.586 E 4n@ `Vd
 0 P)S`y`H       6   6   P    f9$ eicbond0.586 E  (H@ m
 0Vd) P`y`SPP       6   6   P    f9$ eItbond0.586 E  (H@ m
 0Vd) P`y`SPP       :   :   T    f9$ f
o2eth1-01 f E 4i@ ue
 0Vd) Py_           :   :   T    f9$ fOheth1-01 f E 4i@ 9PVd)= Py_            6   6   P    f9$ fo2bond0.586 E (I@ ,Vd
 0 P)S`y`P H       6   6   P    f9$ fOhbond0.586 E (I@ ,Vd
 0 P)S`y`P H       :   :   T    f9$ jicbond0.586 E 4I@ m
 0Vd* Pu-(      ;       :   :   T    f9$ lWItbond0.586 E 4I@ m
 0Vd* Pu-(      ;       :   :   T    f9$ lto2bond0.586 E 4,@ Vd
 0 P**u-(       :   :   T    f9$ l{Ohbond0.586 E 4,@ Vd
 0 P**u-(       :   :   T    f9$ licbond0.586 E 
J@ k
 0Vd) P`y`SP@  GET      :   :   T    f9$ lItbond0.586 E 
J@ k
 0Vd) P`y`SP@  GET      6   6   P    f9$ licbond0.586 E  (K@ m
 0Vd* Pu-(*PM       6   6   P    f9$ lItbond0.586 E  (K@ m
 0Vd* Pu-(*PM       :   :   T    f9$ m o2eth1-01 f E 4I@ 
 0Vd* Pum(    [       :   :   T    f9$ m  Oheth1-01 f E 4I@ |lPVd)> Pum(           6   6   P    f9$ mo2bond0.586 E (@ SVd
 0 P**u-(P R       6   6   P    f9$ mOhbond0.586 E (@ SVd
 0 P**u-(P R       6   6   P    f9$ o2bond0.586 E (~@ \Vd
 0 P)S`{#PF^       6   6   P    f9$ Ohbond0.586 E (~@ \Vd
 0 P)S`{#PF^       :   :   T    f9$ o2eth1-01 f E 4"@ 
 0Vd* Pum(    [       :   :   T    f9$ Oheth1-01 f E 4"@ NPVd)> Pum(           :   :   T    f9$ o2eth1-01 f E 4EJ@ 
 0Vd) Py_           :   :   T    f9$ Oheth1-01 f E 4EJ@ PVd)= Py_            :   :   T    f9$ o2eth1-01 f E 4@ O
 0Vd) Py_           :   :   T    f9$ Oheth1-01 f E 4@ PVd)= Py_            :   :   T    f9$ o2eth1-01 f E 4"@ _
 0Vd* Pum(    [       :   :   T    f9$ Oheth1-01 f E 4"@ $#PVd)> Pum(           6   6   P    f9$  o2bond0.586 E ("@ +Vd
 0 P,׏KP$       6   6   P    f9$  Ohbond0.586 E ("@ +Vd
 0 P,׏KP$       6   6   P    f9$  o2eth1-01 f E (L@@ 
 0Vd PI    P         6   6   P    f9$  Oheth1-01 f E (L@@ zPVd): PI    P  /       6   6   P    f9$ 
Ricbond0.586 E  (O@ m
 0Vd PK,אP       6   6   P    f9$ 
Itbond0.586 E  (O@ m
 0Vd PK,אP       6   6   P    f9$ icbond0.586 E  (P@ m
 0Vd PK,אP       6   6   P    f9$ Itbond0.586 E  (P@ m
 0Vd PK,אP       6   6   P    f9$ o2bond0.586 E (E@ CVd
 0 P,אKP#       6   6   P    f9$ Ohbond0.586 E (E@ CVd
 0 P,אKP#       6   6   P    f9$ C*o2bond0.586 E (@  Vd
 0 PP (       6   6   P    f9$ C<Ohbond0.586 E (@  Vd
 0 PP (       6   6   P    f9$ CKo2eth1-01 f E (,@ 

Just enable winscp and get it that way via winscp software. You can enable it by rinning chsh -s /bin/bash admin

Andy

I need an actual file that can be reviewed in wireshark.

Andy

how to send (attach) the file in private?

Just message me directly and we can correspond via email. Just need to step out for a bit, but will be back later.

Andy

Got your file, thanks! Let me see if I can make sense of it.

Andy

So, it appears ONLY ack happens on the way back, every packet shows malformed, so the fact you see that log in CP totally makes sense. I dont believe this is Check Point issue based on below snippet from the screenshot.

Andy

 Just curious, can you see if this parameter exists?

fw ctl get int mux_enabled

fw ctl get int mux_enabled
Get operation failed: failed to get parameter mux_enabled
get: Operation failed
/bin/cpfw_start: line 12: 25948 Killed

208.86.159.100 via x.x.x.x dev eth1-01 src y.y.y.y

x.x.x.x = our ISP address

y.y.y.y our external IP address

Actually, the TCP connection went through the full three way handshake and closed properly.
However, there was not enough information to properly identify the connection.
In that case, this message and behavior is by design, as stated in: https://support.checkpoint.com/results/sk/sk113479

I suggest trying the "Extended Reason" steps in the SK to see if that provides any additional information.

I looked through the capture file @Moudar sent me, but I dont see it being completed anywhere. Will check again tomorrow morning.

Andy

@Moudar  @the_rock 
Just wondering. Is the firewall's external interface directly connected to the internet?
I'm assuming there maybe a different firewall or content filter on external side that's blocking the site and not the firewall.

I just had a similar issue with my customer recently... ended up their upstream router was blocking the connection, with the "insufficient data passed" in security logs unable to match the access policy.

Good point. I will let Moudar answer that question, as I dont know their network.

Best,

Andy

I see what you mean, ack does show as present, but makes sense if info is not there to identity the connection.

Today, out of the blue, it began triggering the custom application site rule. Specifically, it started activating the correct rule at 07:16:28 this morning. The rule encompasses these three options:

How to check which got the hit?

both use the same IP address!

Just parse through the logs on whatever the source IP was.

Andy

Example from my lab...obviously, your rule number would be different, but you get an idea.

Andy