Create a Post
cancel
Showing results for 
Search instead for 
Did you mean: 
Uwe_Knoetsch
Participant

Funny Hide NAT for FW1_ica_services after install Jumbo 189 HF R80.10

Hello,

after we install the Jumbo HF 189 on a VSX Gateway Cluster we get problems with central managed SMB Appliances there are connect to a MDM CMA trought this VSX Firewall.

We see in the log that packets with service FW1_ics_services are from this moment the firewall hidden by an implicit NAT behind the gateway. But packets with service CDP (TCP/18191) they arn't hide-natted.

my Questions: Is this a new special function inside Jumbo HF 189? Has any CheckMates member informations about this new uncomfortable behavior?

The god thing is: after we install a no-NAT Rule for the destiantion (the MDM-CMA) all is fine.

 

Regards Uwe

Below: yellow marked the log before installation jumbo HF 189 (without NAT)

Log from MDM.JPG

3 Replies
PhoneBoy
Admin
Admin

I suggest opening a TAC case on this.
Uwe_Knoetsch
Participant

Hi Deamon, our partner Bristol (Germany - Thomas Hecht) shold open a TAC Case. Regards Uwe
Uwe_Knoetsch
Participant

Hello,

after a remotesession with CheckPoint today we have clarified the problem and a solution:

Following our remote session,

We saw that there is no automatic NAT enabled on the relevant GW object, and the issue is only happening on port 18264. This port -18264 - is used for connections to Management Server for Certificate Revocation Lists (CRLs) and registering users when using the Policy Server. Refer to sk35292. By default, it's configured in table.def under Implied rules of Hide NAT, but it can be safely edited if we have no need for NAT for this specific environment. 

It's possible that the fact that prior to upgrading jumbo there was no such issue is due to a bug which was fixed by an upgrade.

The procedure we have done is the following:
1) Open SSH to the management (switch to the relevant CMA if you use a MDM -> mdsenv CMA-Name or IP))
2) Backup file table.def: 
# cp $FWDIR/lib/table.def $FWDIR/lib/table.def.back 
3) Edit the file 
# vi $FWDIR/lib/table.def 
4) Find “hide_services_ports” line 
5) Delete the value with port 18264. row should look like this: 
hide_services_ports = { <18210, 6> }; 
6) Save changes in the vi 
7) Install policy 

Regards Uwe

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

Upcoming Events

    CheckMates Events