This website uses Cookies. Click Accept to agree to our website's cookie use as described in our Privacy Policy. Click Preferences to customize your cookie settings.
Accept
Reject
Preferences
ABOUT CHECKMATES CYBER SECURITY COMMUNITY & FAQ
Create a Post
Help
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

Are you a member of CheckMates?

×
Sign in with your Check Point UserCenter/PartnerMap account to access more great content and get a chance to win some Apple AirPods! If you don't have an account, create one now for free!
SurajGaikwad
Explorer
‎2022-11-02 07:03 AM

Reverse HTTPS traffic is getting dropped on Checkpoint Gateway

Hi Team,

We are facing issue where reverse https traffic from destination to source is being dropped.

Below example FYI

*****Forward Traffic******

Source:10.10.10.10 (source is behind gateway 1)

Source port: Random (52437)

Destination: 20.20.20.20 (Destination is behind gateway 2)

Destination port: 443

Traffic is getting allowed on both Gateway

*****Reverse Traffic******

Source: 20.20.20.20 (Destination is behind gateway 2)

Source port: 443

Destination: 10.10.10.10 (source is behind gateway 1)

Destination port: Random (52437) --->Same Random Port which observed in forward traffic

Traffic is getting dropped on gateway 2

**********************

This is unexpected behavior in stateful firewall, 

Any thoughts on why this is happening , and what could be solution? 

 

 

0 Kudos
10 Replies
_Val_
Admin
Admin
‎2022-11-02 08:15 AM

What does the drop log say?

For TCP 443 you do not need two rules, one should be enough. Also, what about NAT?

0 Kudos
SurajGaikwad
Explorer
‎2022-11-02 11:43 PM
In response to _Val_

Hello _Val_

Thanks for reply.

Zdebug Drop logs says "dropped by fw_send_log_drop Reason: Rulebase drop". Same observed in smartconsole logs, traffic is getting dropped by default cleanup rule.

Nating is not enabled for both source and destination.

 

0 Kudos
emmap
Employee
Employee
‎2022-11-02 11:55 PM
In response to SurajGaikwad

Do you see accept logs for forward traffic on both gateways, and which gateway is logging the drop?

0 Kudos
SurajGaikwad
Explorer
‎2022-11-03 12:11 AM
In response to emmap

Hello emmap,

Yes can see accept logs for forward traffic on both gateways.

Drop log is observed on first gateway of return traffic (gateway 2 as explain in question)

0 Kudos
_Val_
Admin
Admin
‎2022-11-03 12:19 AM
In response to SurajGaikwad

This does not make much sense. Check for asymmetric routing.

0 Kudos
PhoneBoy
Admin
Admin
‎2022-11-03 06:32 AM

Please provide screenshots of both the accept and drop logs (masking sensitive data).

0 Kudos
SurajGaikwad
Explorer
‎2022-11-04 06:39 AM
In response to PhoneBoy

Hello PhoneBoy,

Attached accept and drop logs where forward traffic is accepted and reverse traffic is dropped

Preview file
21 KB
0 Kudos
PhoneBoy
Admin
Admin
‎2022-11-04 08:13 AM
In response to SurajGaikwad

Please provide the full log card for each log entry.

0 Kudos
SurajGaikwad
Explorer
‎2022-11-08 03:35 AM
In response to PhoneBoy

attached full log card.

Also let me know is return traffic visible in smartconsole logs.. if forward traffic is accepted.

Preview file
220 KB
0 Kudos
PhoneBoy
Admin
Admin
‎2022-11-08 05:31 AM
In response to SurajGaikwad

I’m not seeing the “origin” field on these log entries (I.e. the gateway that is actually logging these packets).
Have you confirmed the same gateway that is allowing the traffic is actually blocking it?

0 Kudos

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

View All ≫
Upcoming Events

    Sort by:
    CheckMates Events