This website uses Cookies. Click Accept to agree to our website's cookie use as described in our Privacy Policy. Click Preferences to customize your cookie settings.
Accept
Reject
Preferences
ABOUT CHECKMATES CYBER SECURITY COMMUNITY & FAQ
Create a Post
Help
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

Are you a member of CheckMates?

×
Sign in with your Check Point UserCenter/PartnerMap account to access more great content and get a chance to win some Apple AirPods! If you don't have an account, create one now for free!
MarcuzShinz
Collaborator
Collaborator
‎2024-02-22 05:40 PM

Could not find the exact source IP behind of the Checkpoint

Hello Everyone!

Currently we are facing a rather confusing problem as follows:

1. We have 1 pair of Checkpoint devices and 2 pairs of other vendor's Fw devices connected as shown in the attached image.

2. We use a host with IP 10.0.33.100 located behind the Checkpoint device to access the service on Fw1, traffic goes through a Switch device in the middle. Then we are login to Fw1 device and check the logs on Fw1, we can see source IP 10.0.33.100 connected.

3. We use hosting with IP 10.0.33.100 located behind the Checkpoint device to access the service on Fw2, traffic goes through two Switch devices in the middle. Then we log in to the Fw2 device and check the log on Fw2, we can only see the source IP is Checkpoint's administrative IP, in addition we cannot find any other source IP.

Has anyone had any problems?

Preview file
837 KB
0 Kudos
11 Replies
the_rock
MVP Diamond
MVP Diamond
‎2024-02-22 05:48 PM

If you have exact source and dst IP, have you tred running fw monitor to see what happens with the traffic?

Best,

Andy

also, if say dst is 1.1.1.1 (just replace with right IP), run ip r g 1.1.1.1 from expert mode to see if its taking the correct route.

Andy

Best,
Andy
"Have a great day and if its not, change it"
0 Kudos
MarcuzShinz
Collaborator
Collaborator
‎2024-02-22 05:53 PM
In response to the_rock

Traffic when passing through the checkpoint we checked to see that it was on the right route. On the checkpoint we can clearly see the source and dst.

However, as I mentioned, when traffic from a host located behind the checkpoint accesses a host located behind device fw1 through 1 Switch device as shown in the picture I attached, then when we log in to device fw1 and check, we can easily see source is the IP of the host behind the Checkpoint.

However, when traffic from a host located behind the checkpoint accesses a host located behind the fw2 device through 2 Switch device as shown in the picture I attached, then when we log in to the fw2 device and check, we Only seeing the source is the administrative IP of the checkpoint update.

 

0 Kudos
the_rock
MVP Diamond
MVP Diamond
‎2024-02-22 06:03 PM
In response to MarcuzShinz

Sorry, I cant see the attachment...can you paste the diagram?

Best,
Andy
"Have a great day and if its not, change it"
0 Kudos
MarcuzShinz
Collaborator
Collaborator
‎2024-02-22 06:08 PM
In response to the_rock

 

2024-02-23_082926.png

0 Kudos
the_rock
MVP Diamond
MVP Diamond
‎2024-02-22 06:27 PM
In response to MarcuzShinz

K, I see it now, ty. Just to make sure, these are 2 single firewalls managede by the same mgmt server?

Best,

Andy

Best,
Andy
"Have a great day and if its not, change it"
0 Kudos
MarcuzShinz
Collaborator
Collaborator
‎2024-02-22 06:39 PM
In response to the_rock

We only have 1 pair of checkpoints configured in Cluster with separate management components.

And fw1 and fw2 are two pairs of firewalls from another vendor.

0 Kudos
MarcuzShinz
Collaborator
Collaborator
‎2024-02-22 06:42 PM
In response to MarcuzShinz

Currently, when logging into the fw2 device to check the logs, we cannot see the exact source IP of the host behind the Checkpoint device. When done, use that host to access the services behind fw2.

We can only see the VIP IP MGMT of the Checkpoint device.

0 Kudos
the_rock
MVP Diamond
MVP Diamond
‎2024-02-22 06:51 PM
In response to MarcuzShinz

K, so its a cluster, got it. Does same issue happen regardless of which fw is the active one?

Andy

Best,
Andy
"Have a great day and if its not, change it"
0 Kudos
MarcuzShinz
Collaborator
Collaborator
‎2024-02-22 06:56 PM
In response to the_rock

The Cluster Checkpoint device run on mode active/active

0 Kudos
the_rock
MVP Diamond
MVP Diamond
‎2024-02-22 06:59 PM
In response to MarcuzShinz

Did you run zdebug to see if anything is dropped?

Best,
Andy
"Have a great day and if its not, change it"
0 Kudos
AmirArama
Employee
Employee
‎2024-02-23 09:43 AM

From your description it sounds like when you access fw1 the checkpoint don't perform source nat, but when you go to fw2 checkpoint do source nat.

Did you check the logs on checkpoint for traffic to fw2 and see if indeed you have xlate src and what nat rule does it match?

0 Kudos

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

View All ≫
Upcoming Events

    CheckMates Events