This website uses Cookies. Click Accept to agree to our website's cookie use as described in our Privacy Policy. Click Preferences to customize your cookie settings.
Accept
Reject
Preferences
ABOUT CHECKMATES CYBER SECURITY COMMUNITY & FAQ
Create a Post
Help
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

Are you a member of CheckMates?

×
Sign in with your Check Point UserCenter/PartnerMap account to access more great content and get a chance to win some Apple AirPods! If you don't have an account, create one now for free!
TAEKBOM_Kim
Contributor
‎2020-02-05 06:39 PM

Protocol violation detected with protocol:(IKE Nat traversal - UDP)

Hello

We are seeing this issue. and We have a problem with VPN communication.

Do you have any idea about that?

 

1. SG5100: R80.10 (Take 249)

2. Topology: 3rd party VPN <--- SG5100 (bridge mode) ---> 3rd party VPN

                     SG5100 is not set to VPN. It's just a bridge mode firewall.

3. Policy

11.PNG

4. Logs

Firewall - Protocol violation detected with protocol:(IKE Nat traversal - UDP), matched protocol sig_id:(10), violation sig_id:(20). (500)

22.PNG

0 Kudos
7 Replies
Wolfgang
MVP Gold
MVP Gold
‎2020-02-05 11:47 PM

Kim,

first of all. Very interesting policy "any => any, allow" Hope this will be only for testing.

It looks like your VPN partners are not doing correctly the specifications for IKE_NAT-traversal.

You can try to create a new service-object with no protocol definition like this:

 

udp_4500.png

 and use this service object in your rulebase.

Wolfgang

0 Kudos
TAEKBOM_Kim
Contributor
‎2020-02-06 12:02 AM
In response to Wolfgang

Wolfgang,
Yes, it's only for testing. "any=>any,allow"

I created a new service-object with no protocol definition.
but the result was the same.

Firewall - Protocol violation detected with protocol:(IKE Nat traversal - UDP), matched protocol sig_id:(10), violation sig_id:(20). (500)

캡처.PNG

0 Kudos
G_W_Albrecht
MVP Silver
MVP Silver
‎2020-02-06 01:01 AM
In response to TAEKBOM_Kim

Yeah, you get an alert - but what is your issue when i see action accept in log ?

CCSP - CCSE / CCTE / CTPS / CCME / CCSM Elite / SMB Specialist
0 Kudos
TAEKBOM_Kim
Contributor
‎2020-02-07 12:25 AM
In response to G_W_Albrecht

G_W_Albrecht.

We have a problem with vpn communication between 3rd party devices.
The vpn service is no problem when removing checkpoint devices.
0 Kudos
Cyber_Serge
Collaborator
‎2020-07-29 12:05 PM

I'm seeing similar log for Protocol violation, but it's for (DNS-UDP). Even though the log will say "Allow" for action, it actually cause problem.

Not sure if the packet is drop but the DNS did not resolve. Basically if I do a nslookup from client machine, I'll see a log of Protocol violation coming from internal DNS, and on client machine the nslookup will not resolve the url and just time out.

This doesn't always happen though. It happen from time to time so it's hard to replicate the issue with support on the phone. Just curious what cause it to think there's Protocol violation?

0 Kudos
Cyber_Serge
Collaborator
‎2020-07-29 12:30 PM
In response to Cyber_Serge

The temporary workaround we did was a Global Exception rule from the Inspection Settings for said traffic, while waiting on support to figure out what cause it to think there's protocol violation 

0 Kudos
Hitesh_Brahmbha
Participant
‎2021-01-07 09:32 PM

Every Next Generation firewall maintains protocol signature to validate the authenticity of the protocol/service.
If any traffic does not match with the defined service/protocol signature standard, it will alert you with the protocol violation error message.
In Check Point, Application and URL filtering blade must be in enabled state on the gateway for the protocol signature validation.

Protocol Signature - A unique signature created by Check Point for each protocol and stored on the gateway. The signature identifies the protocol as genuine. This option is used to limit the port to the specified protocol.

Regards,
Hitesh Brahmbhatt

0 Kudos

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

View All ≫
Upcoming Events

    CheckMates Events