This website uses Cookies. Click Accept to agree to our website's cookie use as described in our Privacy Policy. Click Preferences to customize your cookie settings.
Accept
Reject
Preferences
ABOUT CHECKMATES CYBER SECURITY COMMUNITY & FAQ
Create a Post
Help
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

Are you a member of CheckMates?

×
Sign in with your Check Point UserCenter/PartnerMap account to access more great content and get a chance to win some Apple AirPods! If you don't have an account, create one now for free!
Jamesbondjr007x
Explorer
‎2019-07-10 01:38 PM

What is the expected traffic in a packet capture for Checkpoint High Avalibility?

While working on a issue I noticed this on a wireshark packet capture on my Nexus 9000 switch is connected to a 15400 XL running Gaia 80.33 (whatever the current version is). There are two 15400 XL in one DC1 and 2 in DC2. The 4 are all clustered together for the VSS. The 192.168.xxx.xx is checkpoint's "internal switch" address. My question is should I be seeing these messages sent to the switchport that is connected to the firewall? The port that is connected to the firewall from the Nexus is for multicast traffic. I did a packet capture in our QA environment which is a mirror of our production with the exception of there are only 2 15400 XL and I don't see these messages below. Is this a mis- configuration of the Firewall High Availability being sent to the Nexus connecting port? 

 

2019-07-10 15:34:26.154998 0.0.0.0 -> 192.168.xxx.xx CPHA CPHAv3223: FWHA_MY_STATE
2019-07-10 15:34:26.155007 0.0.0.0 -> 0.0.0.0 CPHA CPHAv3223: FWHA_IFCONF_REQ
2019-07-10 15:34:26.155010 0.0.0.0 -> 0.0.0.0 CPHA CPHAv3223: FWHA_IFCONF_REQ
2019-07-10 15:34:26.155013 0.0.0.0 -> 0.0.0.0 CPHA CPHAv3223: FWHA_IFCONF_REQ

0 Kudos
5 Replies
PhoneBoy
Admin
Admin
‎2019-07-14 10:26 PM

Check Point's sync traffic is multicast by default.
While the actual connection sync data goes over the sync network, probes do go out over each connected interface.
This is to verify cluster members can reach each other on every interface.
I haven't seen what this traffic looks like in R80.30 to verify what you're seeing is correct.
0 Kudos
PhoneBoy
Admin
Admin
‎2019-07-16 04:44 PM
In response to PhoneBoy

Just to correct myself, R80.20 and above, the default sync traffic is unicast, not multicast.
CCP packets should appear on all "clustered" interfaces.
0 Kudos
Maarten_Sjouw
Champion
Champion
‎2019-07-16 10:25 PM
In response to PhoneBoy

The default is indeed Unicast for this traffic, unless the gateways were upgraded, then the previous state is just copied and left alone.
Regards, Maarten
0 Kudos
Jamesbondjr007x
Explorer
‎2019-07-17 12:15 PM
In response to PhoneBoy

I want to thank you for the responses. My question was is not if its unicast or multicast. It was if what I pasted in the original posting is what should be occuring on connected interfaces to the firewall. As I stated I do not see that in our QA environment with the same code and chassis.

0 Kudos
PhoneBoy
Admin
Admin
‎2019-07-18 01:08 AM
In response to Jamesbondjr007x

CCP packets should be appearing on all "Clustered" interfaces, as I said previously.
If you're not seeing them, it's because the configuration of the Cluster object is different with respect to the interfaces in your QA environment.
0 Kudos

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

View All ≫
Upcoming Events

    CheckMates Events