This website uses Cookies. Click Accept to agree to our website's cookie use as described in our Privacy Policy. Click Preferences to customize your cookie settings.
Accept
Reject
Preferences
ABOUT CHECKMATES CYBER SECURITY COMMUNITY & FAQ
Create a Post
Help
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

Are you a member of CheckMates?

×
Sign in with your Check Point UserCenter/PartnerMap account to access more great content and get a chance to win some Apple AirPods! If you don't have an account, create one now for free!
Darren_Fine
Collaborator
‎2019-08-29 03:04 PM
Jump to solution

SNMP being secretly dropped by "fwpslglue_chain Reason: PSL Drop: ASPII_MT"

Hi ,

Had an interesting problem today - snmp was not working through an R80.10 firewall with JHF 112.

All the logs showed it was being allowed through on both the security policy and the application control layer.(which led most of the firewall admins to tell the network monitoring guys that its their issue...hahaha)

However when this was escalated I ran a fw ctl zdeug drop and low and behold..... found the infamous "dropped by fwpslglue_chain Reason: PSL Drop: ASPII_MT" for this traffic.

 

Since I have encountered this error before and it seems it can be for numerous blades I logged a call to see if TAC could give me a good idea on how to track this down .(thought maybe they would have some great way to isolate what can cause this by now..)

The only idea they had was to install latest JHF 😞

Anyhow - after doing that in a change window (the new JHF did not help ) - I tried switching off IPS which made no difference. I then switched off application control and what do you know - snmp started working. 🙂

In the end the solution was to make a rule higher up in the Application control layer rulebase allowing this ,

(even though there was a rule further down allowing this and the firewall logged as being allowed on that rule.... very misleading....)

So I just thought I would share this in case this assists anyone else out there ...

 

Regards

1 Solution

Accepted Solutions
PhoneBoy
Admin
Admin
‎2019-09-09 03:23 PM
In response to Darren_Fine
Jump to solution

App Control will be involved if there were other rules before the SNMP rule that require App Control.
This applies even if the final matching rule doesn't require it. 😁
By putting a specific SNMP rule at/near the top, you avoid this.

View solution in original post

6 Replies
Alessandro_Marr
Advisor
‎2019-08-30 06:58 AM
Jump to solution

Hello, looking for any domain object without FQDN flag marked.... this situation in r80.10 bring a lot of problems... 

0 Kudos
PhoneBoy
Admin
Admin
‎2019-09-07 04:57 PM
Jump to solution

SNMP is one of those services that's handled in the firewall (meaning it doesn't require App Control).
Did the drop message provide a clue about what rule might be the culprit?
0 Kudos
HeikoAnkenbrand
Champion Champion
Champion
‎2019-09-08 01:33 AM
Jump to solution

Hi @Darren_Fine 

In firewall rulebase, the service may be evaluated before evaluating the source or the destination.

Workaround:

1) Create a new customer service for SNMP and set the protocol type to "none".
     Now unchecking the box 'Match for 'Any'' in the new customer service.

2) Use the new customer service in the rule.

3) Install policy

More to PSL/PXL can you read here:

R80.x Security Gateway Architecture (Logical Packet Flow)

 

➜ CCSM Elite, CCME, CCTE ➜ www.checkpoint.tips
0 Kudos
Darren_Fine
Collaborator
‎2019-09-08 02:05 AM
In response to HeikoAnkenbrand
Jump to solution

Hi Guys,

 

Thanks for reading my post and for the reply 😃

 

@PhoneBoy there was only allows in the normal firewall logs for both firewall rules and application rules (its a legacy rulebase so they in different layers). I only saw the drop when doing the debug ..with the error mentioned in the subject.

 

Creating the allow snmp rule in the application control layer solved the problem so not sure how it would not require application control ? 😉

 

@HeikoAnkenbrand it did look like the rule was evaluated and found to be allowed (at least this is what the logs said). I did see a knowledge base that mentioned the steps you listed but some snmp traffic was working fine so I did not go that way .. As mentioned the addition of an application control rule for snmp seems to have fixed the issue. 

 

So its definitely working from the application control rule addition but I am now confused since you guys seem to think this should not have been the solution 🤔

0 Kudos
PhoneBoy
Admin
Admin
‎2019-09-09 03:23 PM
In response to Darren_Fine
Jump to solution

App Control will be involved if there were other rules before the SNMP rule that require App Control.
This applies even if the final matching rule doesn't require it. 😁
By putting a specific SNMP rule at/near the top, you avoid this.
HeikoAnkenbrand
Champion Champion
Champion
‎2019-09-08 02:28 AM
Jump to solution

Hi @Darren_Fine 

@PhoneBoy  was right.

I had the same problem with customers and the following sk97876 helped.   

But when everything's solved, that's great. 😀

➜ CCSM Elite, CCME, CCTE ➜ www.checkpoint.tips
0 Kudos

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

View All ≫
Upcoming Events

    Sort by:
    CheckMates Events