This website uses Cookies. Click Accept to agree to our website's cookie use as described in our Privacy Policy. Click Preferences to customize your cookie settings.
Accept
Reject
Preferences
ABOUT CHECKMATES CYBER SECURITY COMMUNITY & FAQ
Create a Post
Help
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

Are you a member of CheckMates?

×
Sign in with your Check Point UserCenter/PartnerMap account to access more great content and get a chance to win some Apple AirPods! If you don't have an account, create one now for free!
Matlu
MVP Silver
MVP Silver
‎2025-03-23 08:25 AM

IS-IS protocol in FW CP.

Hello, Mates.

I have a problem with a FW CP which is working in bridge mode with 2 of its interfaces. I currently have 2 Routers.

R1 - - -- - R2

These 2 Routers are working with IS-IS and BGP. The problem is that when you put the FW in the middle, something like this:

R1 - - - - FW CP L2 - - -- - R2

IS-IS and BGP adjacency is dropping as well. I have a free policy to avoid drops, but still the session of these protocols is not up, and everything indicates that it is the CP, because the only thing I can do is a Rollback to get it working again.

Is there any way to confirm if the CP is voting IS IS sessions? I have used TCPdump, FW Ctl Zdebug, but I can't see anything relevant. Is it possible to filter the IS-IS or related traffic in some traffic capture?

Maybe concentrating on the interfaces which are part of the flow like Eth1-1 and Eth1-2?

Thanks for your comments.

0 Kudos
7 Replies
the_rock
MVP Platinum
MVP Platinum
‎2025-03-23 10:20 AM

Hm, thats a bit tricky, since IS-IS does not use specific port number/protocol, so might be little tough to do any captures to discover if fw is dropping it. If you check the logs when you are testing it, do you see anything at all?

Andy

Best,
Andy
0 Kudos
Matlu
MVP Silver
MVP Silver
‎2025-03-23 06:08 PM
In response to the_rock

Buddy.

Unfortunately I have not been able to capture something ‘important’ at the moment when the CP is in the middle, for the same reason that the commands did not show me relevant data.

For example, the zdebug did not show me anything, the tcpdump did not show me anything either, something quite strange.

Now the SmartConsole logs do show me traffic but it is multicast traffic, and I don't understand that.

R1 has IP x.x.160.161 and R2 x.x.160.162

And the only thing you see in the logs is traffic from these IPs at that time of testing but the destination shows MULTICAST traffic and nothing relevant to IS-IS between both IPs.

I asked ChatGPT and he sent me to capture traffic in tcpdump for a layer 2 protocol that is '0x83'

I will have to try it.

0 Kudos
the_rock
MVP Platinum
MVP Platinum
‎2025-03-23 06:31 PM
In response to Matlu

Hm, that is indeed odd. Let me do some tests tomorrow in my lab as well.

Andy

Best,
Andy
0 Kudos
the_rock
MVP Platinum
MVP Platinum
‎2025-03-24 02:40 PM
In response to Matlu

See if you can run some of below commands in clish?

Andy

R82> show isis
database - Show the contents of the IS-IS link-state database
errors - Show IS-IS errors
export-routemap - Show all routemaps for IS-IS export policy
hostnames - Show the IS-IS dynamic hostname list
interface - Show an IS-IS interface
interfaces - Show all IS-IS interfaces
ipv6 - Show IS-IS IPv6 multi-topology information
neighbor - Show an IS-IS neighbor
neighbors - Show all IS-IS neighbors
packets - Show IS-IS packets sent / received
summary - Show a brief summary of IS-IS running state
topology - Show IS-IS paths to other intermediate systems

Best,
Andy
0 Kudos
PhoneBoy
Admin
Admin
‎2025-03-24 02:37 PM

Unless you've enabled and configured IS-IS routing on the gateway, I doubt we're doing anything.

0 Kudos
Matlu
MVP Silver
MVP Silver
‎2025-03-24 03:12 PM
In response to PhoneBoy

We are only supposed to be working the CP as L2.
It has only 2 interfaces in bridge mode, 1 of them goes to R1 and the other to R2.
So, it does not make sense that when we put the device it is downloading the IS-IS session if it is acting as a L2.
It does not make sense to me.

0 Kudos
the_rock
MVP Platinum
MVP Platinum
‎2025-03-24 04:22 PM
In response to Matlu

Hey bro,

So, if thats the case, fw itself would not be doing any IS-IS traffic, it would be more of a "pass-through", for the lack of better term. Just run those commands I sent before from clish and send them over.

Andy

Best,
Andy
0 Kudos

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

View All ≫
Upcoming Events

    CheckMates Events