This website uses Cookies. Click Accept to agree to our website's cookie use as described in our Privacy Policy. Click Preferences to customize your cookie settings.
Accept
Reject
Preferences
ABOUT CHECKMATES CYBER SECURITY COMMUNITY & FAQ
Create a Post
Help
cancel
Turn on suggestions
Showing results for 
Search instead for 
Did you mean: 

Are you a member of CheckMates?

×
Sign in with your Check Point UserCenter/PartnerMap account to access more great content and get a chance to win some Apple AirPods! If you don't have an account, create one now for free!
yura_k
Contributor
Contributor
‎2024-03-11 08:54 AM
Jump to solution

ISP redundancy and Security Zones

Hi team!

Two 6400 appliances in the A/S cluster, Gaia R81.20 JHF41. Two ISPs (/29 subnets), Primary/Backup mode. NAT policy is made using Security Zones. Recently we faced the following situation.

When fail-over occurs, ISP from Primary ISP to Backup ISP, all outgoing ICMP requests and TCP sessions are re-established correctly. But some UDP sessions "hang" and are sourced with the address of the Primary ISP.

TAC in my case wrote that "Old connections will not change NAT by design. This as confirmed by the developer is by design  this is because the connection is recorded in the connection table."

How do I get to automatically perform UDP sessions cleanup from connections table?

0 Kudos
1 Solution

Accepted Solutions
PhoneBoy
Admin
Admin
‎2024-03-13 03:13 PM
Jump to solution

The way I understand what TAC said, it sounds like this would require an RFE.
It is possible to remove connections from the connections table (fw tab -x, I believe), but it would require some scripting to parse the connections table and figure out which ones to remove.

View solution in original post

4 Replies
PhoneBoy
Admin
Admin
‎2024-03-13 03:13 PM
Jump to solution

The way I understand what TAC said, it sounds like this would require an RFE.
It is possible to remove connections from the connections table (fw tab -x, I believe), but it would require some scripting to parse the connections table and figure out which ones to remove.

yura_k
Contributor
Contributor
‎2024-03-15 01:46 AM
In response to PhoneBoy
Jump to solution

Hi! If I understand correctly, when client A sends UDP data to server B via CP, a virtual UDP session is created, which has a timeout (40 seconds by default).

If a UDP reply from server B to client A arrives, is it a second virtual session, which is in no way linked to the first virtual session?

PhoneBoy
Admin
Admin
‎2024-03-15 03:49 PM
In response to yura_k
Jump to solution

If that reply comes within 40 seconds, it's considered part of the same session.

0 Kudos
the_rock
Legend
Legend
‎2024-03-13 03:41 PM
Jump to solution

If TAC confirmed it and developer said the same, then what @PhoneBoy advised makes total sense. Sounds like RFE to me.

Best,

Andy

0 Kudos

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

View All ≫
Upcoming Events

    CheckMates Events
    Top