Create a Post
cancel
Showing results for 
Search instead for 
Did you mean: 
AVG13
Explorer

Unable to Access/Ping Checkpoint Gateway interfaces.

We have a CP 6200P/R80.30 in production environment & earlier it was accessible via internal interfaces (HTTPS/SSH ) .But suddenly since last few days internal interfaces are not accessible to ping ,SSH , HTTPS.

While taking tcpdump we can see traffic is hitting CP GW but only SEW flags we could able to see.

Now we could only able to access GW(SSH/HTTPS) via public IP.

What might be a reasons for these type of issue ?How we can resolve this? 

0 Kudos
8 Replies
the_rock
Legend
Legend

What do you see in the logs in smart console? Also, when you try this, can you do zdebug command as well? For example, say you are pinging or ssh-ing from 10.10.10.100 IP address, just run this command on the gateway -> fw ctl zdebug + drop | grep 10.10.10.100 and see what you get. Another thing to consider is, can you attempt to revert policy to the time when this did work? I dont know if any changes were made, but something clearly happened since last time it worked.

Any routing changes at all?

Andy

0 Kudos
AVG13
Explorer

For fw ctl zdebug output we are not able to see any logs/drops .

In smartconsole we can see accept logs for SSH , Ping traffic going towards internal (checkpoint) interface IP .

In order to revert to old policy we don't know when exactly this has been stopped working.

0 Kudos
the_rock
Legend
Legend

Ok, I know this may be extreme step, but to confirm 100% its not policy, are you able to do fw unloadlocal on the gateway and see if issue gets solved? If it does, then there is no doubt its something in policy that was blocking it.

0 Kudos
AVG13
Explorer

Thanks for your suggestions .

This firewall is currently in production . So fw unloadlocal is less feasible option . 

Only issue is with monitoring tool not able connect properly & FW admins not able to access it via internal interfaces.

If any issue with firewall policy /packets droped by this FW kernal then should see that logs in Smartconsole , fw ctl zdebug +drop command right ?

Anything else we can try /check for this ?

0 Kudos
the_rock
Legend
Legend

Can you attach fw monitor and tcpdump files when you are testing this and also indicate source/dst IP?

Cheers,

Andy

0 Kudos
AVG13
Explorer

Please find attached command output.

 

0 Kudos
the_rock
Legend
Legend

I am only assuming now, as you did not fully answer my question, it looks like traffic is "stuck" on eth4.1135 interface. What does this show -> ip r g x.x.x.x

where x.x.x.x is IP you are trying to access.

0 Kudos
AVG13
Explorer

Please find attached logs.

0 Kudos

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

Upcoming Events

    CheckMates Events