This website uses Cookies. Click Accept to agree to our website's cookie use as described in our Privacy Policy. Click Preferences to customize your cookie settings.
Accept
Reject
Preferences
ABOUT CHECKMATES CYBER SECURITY COMMUNITY & FAQ
Create a Post
Help
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

Are you a member of CheckMates?

×
Sign in with your Check Point UserCenter/PartnerMap account to access more great content and get a chance to win some Apple AirPods! If you don't have an account, create one now for free!
SecurityNed
Collaborator
5 hours ago

Internal Firewall Has No Internet Connection, But Network Within Internal LAN Has

Hello Checkmates,

I have a question regarding the behavior of my internal firewall. Please see image below as reference:

Simple1.png

Currently, anything below INTFW has internet access, but for some reason, INTFW doesn't. I have confirmed this when I checked my URL and App Control updates, and it shows a failed attempt. Logs show allowed via implied rule as seen in the screenshot below:

logs1.png

Running fwctl zdebug + drop | grep [INTFW IP] on EXTFW1 (current active cluster member) doesn't show any drops, so it confirmed that the allowed log entries are correct. It shouldn't be about the routes as my internal network is working as it should be, it's only INTFW that doesn't have internet.

I would like insight to this as it would allow me to then update my internal firewall to the latest JHF and would probably fix a lot of issues that I'm experience.

Thanks!

0 Kudos
9 Replies
Chris_Atkinson
Employee Employee
Employee
5 hours ago

What do the logs say, does it show the traffic is being NAT'd at the Ext firewall??

CCSM R77/R80/ELITE
0 Kudos
SecurityNed
Collaborator
4 hours ago
In response to Chris_Atkinson

Here's an example of a log egress to 8.8.8.8 from the INTFW

 

nonat.png

I see no translation entries, but we do have a NAT policy, the group INTERNAL should have the 192.168.4.X IP address configured on the internal firewall.

0 Kudos
Chris_Atkinson
Employee Employee
Employee
4 hours ago
In response to SecurityNed

The source address shown in the log is different to the subnet you mention so it may not be hitting your current NAT rules.

Granted since it's not an RFC1918 it might be a moot point if the address is valid otherwise.

CCSM R77/R80/ELITE
0 Kudos
SecurityNed
Collaborator
4 hours ago
In response to Chris_Atkinson

Would I still need NAT if the scenario is:

INTFW [20.20.0.4] <---> EXTFW1 [20.20.0.3]

That IP is the link that is directly connected to the EXTFW1, so I would assume I don't need to NAT it as its directly connected. 

0 Kudos
Chris_Atkinson
Employee Employee
Employee
4 hours ago
In response to SecurityNed

If it's a public routeable address that is valid and belongs to your org then no...

CCSM R77/R80/ELITE
0 Kudos
SecurityNed
Collaborator
4 hours ago
In response to Chris_Atkinson

Yes, that's why the behavior is unusual. To add, I can ping to my DMZ-residing servers without issue, it's that one hop going to the internet that is not working for some reason. So, for ping tests:

  • INTFW --> EXTFW1 Interface (20.20.0.3) = ok
  • INTFW --> DMZ IPs (172.16.X.X) = ok
  • INTFW --> Internet = log says its okay, but ping within the gateway fails
0 Kudos
Chris_Atkinson
Employee Employee
Employee
4 hours ago
In response to SecurityNed

I've sent you a DM to check something related here regarding your choice of IP addresses.

CCSM R77/R80/ELITE
0 Kudos
the_rock
Legend
Legend
2 hours ago
In response to SecurityNed

If you run ip r g 8.8.8.8 command, what does it show?

Andy

0 Kudos
Chris_Atkinson
Employee Employee
Employee
2 hours ago
In response to the_rock

Most likely the issue is the source IP in this case.

CCSM R77/R80/ELITE
0 Kudos

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

View All ≫
Upcoming Events

    Sort by:
    CheckMates Events