This website uses Cookies. Click Accept to agree to our website's cookie use as described in our Privacy Policy. Click Preferences to customize your cookie settings.
Accept
Reject
Preferences
ABOUT CHECKMATES CYBER SECURITY COMMUNITY & FAQ
Create a Post
Help
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

Are you a member of CheckMates?

×
Sign in with your Check Point UserCenter/PartnerMap account to access more great content and get a chance to win some Apple AirPods! If you don't have an account, create one now for free!
Sung
Explorer
‎2023-07-11 05:51 PM

SSH connection failed when it go through the firewall/across VLANs.

Hello everyone. 

As shown as attached, we use Checkpoint 3600 as our gateway and connect it to our core switch.

We observed that SSH connection from VLAN-A to VLAN-B is failed.
For example, We use laptop with VLAN10 IP to SSH access Cisco network switch which with VLAN20, but connection is failed.
We use SSHv2 and observed Checkpoint firewall accept SSHv2 on log level, but connection is failed.At the same time there is SSHv1 releated drop log but do not know if SSHv2 connection failed and SSHv1 drop log are connected or not.


Also, we tryied using the same laptop with VLAN20 IP and observed SSHv2 connection is worked.
We did not filter anything on Cisco switch and also observed the same behavior with other platform like Cisco 9200 and HP A5800 network switch.Therefore, we believe that it fails only when packet go through the firewall/across VLANs.
Could anyone share how to investigate futher on Checkpoint or solve this issue? Thanks.

Preview file
207 KB
0 Kudos
2 Replies
the_rock
Legend
Legend
‎2023-07-11 06:13 PM

I will give you basic command I would do first, it should provide an idea as to why it fails. So, lets pretend IP involved is 1.2.3.4 trying to ssh

You could do this from expert on the fw -> fw ctl zdebug + drop | grep 1.2.3.4 | grep "22"

You can run same command just grepping for port 22

Alternatively, you can also do fw monitor -e "accept host(1.2.3.4) and port(22);"

There is also fw monitor -F filter, which is real good, so say src is 1.2.3.4 and dst is 2.3.4.5 and dst port is 22, it would look like below

fw monitor -F "1.2.3.4,0,2.3.4.5,22,0" -F "2.3.4.5,0,1.2.3.4,22,0"

Idea is this "srcip,src port, dst ip, dst port, protocol"

Needless to say, you dont care about src port, as its totally irrelevant.

Hope that helps.

Andy

0 Kudos
Sung
Explorer
‎2023-07-20 10:24 PM
In response to the_rock

Thank you. Will check with these debug commands and see what can we see.

0 Kudos

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

View All ≫
Upcoming Events

    Sort by:
    CheckMates Events