This website uses Cookies. Click Accept to agree to our website's cookie use as described in our Privacy Policy. Click Preferences to customize your cookie settings.
Accept
Reject
Preferences
ABOUT CHECKMATES CYBER SECURITY COMMUNITY & FAQ
Create a Post
Help
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

Are you a member of CheckMates?

×
Sign in with your Check Point UserCenter/PartnerMap account to access more great content and get a chance to win some Apple AirPods! If you don't have an account, create one now for free!
ajsingh
Explorer
Thursday
Jump to solution

IDC events not coming on Firewall

Hi All,

I recently installed IDC on a separate Window server and configured it as per the Guide.

I have connected to 6 of my DC's and its receiving events fine. Then i connected one Firewall which is in the same virtual Network and it is receiving all the events and i see users and Machine identities in my firewall. 

FW (identity source)----->Identity collector

 

Now I have added another firewall and it is connected and IDC shows connected and Events are being sent . On firewall, I dont see any user/Machine identities getting updated .

Firewall (Identity source)----->VPN site to site----->Identity collector

 

Is there something else I have to do for Events to go over VPN tunnel to my Firewalls that is trying to get identities from IDC ? Because if its is not over VPN tunnel , its working fine. 

Both Firewalls are R81.20 and have same configuration and IDC shows both connected and events are being sent and I do see numbers increase in IDC. 

Labels
0 Kudos
1 Solution

Accepted Solutions
the_rock
Legend
Legend
Thursday
In response to ajsingh
Jump to solution

That 100% looks right to me. I would open TAC case about it to see what they say.

Andy

View solution in original post

0 Kudos
10 Replies
the_rock
Legend
Legend
Thursday
Jump to solution

Maybe a silly question, but did you make sure windows fw is off on that machine?

Andy

0 Kudos
ajsingh
Explorer
Thursday
In response to the_rock
Jump to solution

Hi,

Yes it is off, since one firewall is working fine. 

0 Kudos
the_rock
Legend
Legend
Thursday
In response to ajsingh
Jump to solution

K, I see what you meant in your post. So, the one that fails, the difference is it goes over vpn tunnel. Can you do capture and make sire IC ip is not getting dropped? Run fw monitor and then in other ssh window run zdebug

So say IC ip is 10.10.10.10, do something like this:

ssh 1 -> fw monitor -e "accept host(10.10.10.10);"

ssh 2 -> fw ctl zdebug + drop | grep 10.10.10.10

0 Kudos
ajsingh
Explorer
Thursday
In response to the_rock
Jump to solution

Hi, 

I just confirmed that traffic indeed is coming at port 443 and there is no drop in the traffic. I do see vpn logs too and nothing looks out of place. All connectivity looks fine 😞

0 Kudos
the_rock
Legend
Legend
Thursday
In response to ajsingh
Jump to solution

I would try restart IC machine to see if it makes any difference. Maybe also run pdp update all on the problematic gateway.

Andy

0 Kudos
ajsingh
Explorer
Thursday
In response to the_rock
Jump to solution

output from my problematic firewall : 

 
 

 

Preview file
15 KB
0 Kudos
the_rock
Legend
Legend
Thursday
In response to ajsingh
Jump to solution

That 100% looks right to me. I would open TAC case about it to see what they say.

Andy

0 Kudos
the_rock
Legend
Legend
Thursday
In response to ajsingh
Jump to solution

One thing I would do is maybe try do IA debugs on the fw and see what gives.

commands are pep debug on and pdp debug on (off to turn off). Once done, check $FWDIR/dir log for pep and pdp log files.

Hope that helps.

Andy

0 Kudos
ajsingh
Explorer
yesterday
In response to the_rock
Jump to solution

Thank you all for your replies. am heading for my vacation for next week. I will open tac case now once am back 🙂

0 Kudos
the_rock
Legend
Legend
yesterday
In response to ajsingh
Jump to solution

Have a nice vacation!

Andy

0 Kudos

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

View All ≫
Upcoming Events

    CheckMates Events