This website uses Cookies. Click Accept to agree to our website's cookie use as described in our Privacy Policy. Click Preferences to customize your cookie settings.
Accept
Reject
Preferences
ABOUT CHECKMATES CYBER SECURITY COMMUNITY & FAQ
Create a Post
Help
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

Are you a member of CheckMates?

×
Sign in with your Check Point UserCenter/PartnerMap account to access more great content and get a chance to win some Apple AirPods! If you don't have an account, create one now for free!
Wyman
Contributor
‎2022-04-01 03:04 AM

Reply Traffic from Servers Not Passing Through

Hi everyone.

We're having an issue with traffic that I don't know how to pinpoint the cause of. We have an office in China which has a PBX server on the DMZ. Yesterday and today our users haven't been able to connect to it externally for a period of about 45 minutes. Looking at the logs for the time that it's unavailable (it's accessible from within the office), I can see HTTPS and webRTC traffic hitting the firewall and the PBX looks to send responses but external users are still unable to connect; no drop log entries exist. Essentially things seem ok and there aren't really any gaps in the logs to suggest that there are connectivity issues.

Apart from having a look at the logs after the fact, is there anything else we can do to determine why this is happening? There haven't been any policy changes nor any ISP failover so I don't know how we can prove whether it's a carrier issue or an issue with the firewall. 

Happy to answer any questions. Thanks in advance.

0 Kudos
2 Replies
Timothy_Hall
Legend Legend
Legend
‎2022-04-01 06:37 AM

Unfortunately given the geographic country involved here, it is likely that a "greater" firewall outside your control is messing with your traffic.  The only real way to determine the cause is to obtain a simultaneous packet capture with tcpdump/cppcap on both sides while the issue is occurring; regrettably Check Point does not support the notion of "triggered" packet captures that automatically start when a certain condition is met.

That said, there are three features mentioned in my book that you can enable to provide some extra log visibility and perhaps help give you a better idea of what is going on:

1) sk101221: TCP state logging

2) Possibly disable Session Logging on the relevant rules matching the problematic traffic and set only "Connection Logging", which will produce more granular connection-based logs but there will be many more of them.  For the difference see my CPX 2022 presentation Max Gander: The Hidden World of Log Generation & Suppression on Check Point.

3) Enable "Accounting" on the relevant rules matching the problematic traffic:

account.png

 

Attend my 60-minute "Be your Own TAC: Part Deux" Presentation
Exclusively at CPX 2025 Las Vegas Tuesday Feb 25th @ 1:00pm
0 Kudos
PhoneBoy
Admin
Admin
‎2022-04-01 06:41 AM

You'd have to take packet captures while this is happening to get an idea of whether the traffic is symmetrically passing through the gateway or not.
It may not tell you where the issue is exactly, but you can at least rule out the firewall that way.

0 Kudos

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

View All ≫
Upcoming Events

    CheckMates Events