This website uses Cookies. Click Accept to agree to our website's cookie use as described in our Privacy Policy. Click Preferences to customize your cookie settings.
Accept
Reject
Preferences
ABOUT CHECKMATES CYBER SECURITY COMMUNITY & FAQ
Create a Post
Help
cancel
Turn on suggestions
Showing results for 
Search instead for 
Did you mean: 

Are you a member of CheckMates?

×
Sign in with your Check Point UserCenter/PartnerMap account to access more great content and get a chance to win some Apple AirPods! If you don't have an account, create one now for free!
AVG13
Explorer
‎2022-03-23 06:32 AM

Unable to Access/Ping Checkpoint Gateway interfaces.

We have a CP 6200P/R80.30 in production environment & earlier it was accessible via internal interfaces (HTTPS/SSH ) .But suddenly since last few days internal interfaces are not accessible to ping ,SSH , HTTPS.

While taking tcpdump we can see traffic is hitting CP GW but only SEW flags we could able to see.

Now we could only able to access GW(SSH/HTTPS) via public IP.

What might be a reasons for these type of issue ?How we can resolve this? 

0 Kudos
8 Replies
the_rock
Legend
Legend
‎2022-03-23 06:39 AM

What do you see in the logs in smart console? Also, when you try this, can you do zdebug command as well? For example, say you are pinging or ssh-ing from 10.10.10.100 IP address, just run this command on the gateway -> fw ctl zdebug + drop | grep 10.10.10.100 and see what you get. Another thing to consider is, can you attempt to revert policy to the time when this did work? I dont know if any changes were made, but something clearly happened since last time it worked.

Any routing changes at all?

Andy

0 Kudos
AVG13
Explorer
‎2022-03-23 07:22 AM
In response to the_rock

For fw ctl zdebug output we are not able to see any logs/drops .

In smartconsole we can see accept logs for SSH , Ping traffic going towards internal (checkpoint) interface IP .

In order to revert to old policy we don't know when exactly this has been stopped working.

0 Kudos
the_rock
Legend
Legend
‎2022-03-23 07:26 AM
In response to AVG13

Ok, I know this may be extreme step, but to confirm 100% its not policy, are you able to do fw unloadlocal on the gateway and see if issue gets solved? If it does, then there is no doubt its something in policy that was blocking it.

0 Kudos
AVG13
Explorer
‎2022-03-23 08:47 AM
In response to the_rock

Thanks for your suggestions .

This firewall is currently in production . So fw unloadlocal is less feasible option . 

Only issue is with monitoring tool not able connect properly & FW admins not able to access it via internal interfaces.

If any issue with firewall policy /packets droped by this FW kernal then should see that logs in Smartconsole , fw ctl zdebug +drop command right ?

Anything else we can try /check for this ?

0 Kudos
the_rock
Legend
Legend
‎2022-03-23 09:01 AM
In response to AVG13

Can you attach fw monitor and tcpdump files when you are testing this and also indicate source/dst IP?

Cheers,

Andy

0 Kudos
AVG13
Explorer
‎2022-03-23 09:50 AM
In response to the_rock

Please find attached command output.

 

Logs.txt
Preview file
7 KB
0 Kudos
the_rock
Legend
Legend
‎2022-03-23 09:53 AM
In response to AVG13

I am only assuming now, as you did not fully answer my question, it looks like traffic is "stuck" on eth4.1135 interface. What does this show -> ip r g x.x.x.x

where x.x.x.x is IP you are trying to access.

0 Kudos
AVG13
Explorer
‎2022-03-24 01:22 AM
In response to the_rock

Please find attached logs.

Logs2.txt
Preview file
2 KB
0 Kudos

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

View All ≫
Upcoming Events

    Sort by:
    CheckMates Events
    Top