This website uses Cookies. Click Accept to agree to our website's cookie use as described in our Privacy Policy. Click Preferences to customize your cookie settings.
Accept
Reject
Preferences
ABOUT CHECKMATES CYBER SECURITY COMMUNITY & FAQ
Create a Post
Help
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

Are you a member of CheckMates?

×
Sign in with your Check Point UserCenter/PartnerMap account to access more great content and get a chance to win some Apple AirPods! If you don't have an account, create one now for free!
Daniel_Kavan
Advisor
Advisor
‎2022-02-04 08:11 AM

connection table questions

Hi,

This has been a crazy week.   We had two customers (both on the same subnet)  that couldn't get to their web page behind the Check Point firewall R81 JHF 36.  Externally, we couldn't get to the web server, internally we could.  Anyone who came in externally could NOT get to the site.  We all tried from home.    In the logs, I noticed some SYN-ACK outbound drop from the private IP of the server to whatever external IP was trying to hit at the time.   I ended up with 'fwaccl off' .   to get things working again, actually on 2 sites in the same subnet.   Is it possible the connection table was stuck on the NAT routable IP that's why outbound traffic was stuck and not internal?    I'm trying to guess as to what reasons could cause this and explain it to the customer.  And to keep it from happening again.   Next time I plan to clear the connection of the IPs having trouble and keeping 'fwaccl on'.

0 Kudos
4 Replies
HeikoAnkenbrand
Champion Champion
Champion
‎2022-02-04 10:28 AM

Hi @Daniel_Kavan,

Could you  provide a "fw monitor" of the affected connection?

In an emergency situation, I would disable SecureXL for certain IP addresses only.
Disable SecureXL for specific IP addresse:

sk104468 - How to disable SecureXL for specific IP addresses

 

➜ CCSM Elite, CCME, CCTE ➜ www.checkpoint.tips
Daniel_Kavan
Advisor
Advisor
‎2022-02-04 10:36 AM
In response to HeikoAnkenbrand

No, I don't have a fw monitor capture.

 

In theory though if your web server has a private IP and a static NAT, will the outbound connection in the connection table be on the public (static NAT) IP?  I'm trying to explain in theory how we were able to access the server internally, but from external no one that tried to access it could see it.   It was dropping us all, until fwaccel off, even new connections all of us coming from unique public IPs.

 

0 Kudos
Daniel_Kavan
Advisor
Advisor
‎2022-02-04 11:01 AM
In response to Daniel_Kavan

Also, what can cause a connection to get stuck in the acceleration table?

0 Kudos
Timothy_Hall
Legend Legend
Legend
‎2022-02-05 06:50 AM

When you say internal users could get to the web server, were they going to the server's real internal address or the outside NAT address?  If the internal address that is very different from trying to hit the NAT address from the inside.

If your web server initiates a connection it will use its own static NAT address for that by default and no Hide NAT rules will be used if you employed Automatic NAT setup.

Once the first packet of a new connection is received and accepted, the needed NAT rule(s) are matched and the NATting for that connection cannot change even if the relevant NAT configuration is modified and policy reinstalled.  New connections will of course use the new NAT configuration, I think this is part of what happened to you.  My guess is that Accept and NAT templates were formed in SecureXL for some kind of prior incorrect NAT configuration for the webserver and the inbound traffic to your web server had minimal inspection so it was fully accelerated by SecureXL and still using the incorrect configuration.  Your outbound traffic was probably subject to more inspection (APCL/URLF, TP, etc.) and either Accept templates could not be formed or the traffic could not be fully accelerated for some other reason so it hit the updated rule config in F2F and worked.

When you ran fwaccel off Accept/NAT templates were disabled and any new inbound connections then ran through the updated NAT rule base and started working.  However keep in mind that when you run fwaccel off in R80.20+ it only applies to NEW connections; similar to the situation I mentioned above involving NAT rules existing connections will continue to be handled by SecureXL. 

This is particularly problematic with web browsers who love to keep speculative connections open to web servers you have visited recently, and are not opening actual new connections when you refresh that will be subject to your new configuration or bypass SecureXL.  When testing something like this, always be sure to close all browser windows (or better yet switch to a completely different browser type) to ensure all speculative connections are closed as this can cause some really flaky-looking behavior.

 

 

Attend my 60-minute "Be your Own TAC: Part Deux" Presentation
Exclusively at CPX 2025 Las Vegas Tuesday Feb 25th @ 1:00pm

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

View All ≫
Upcoming Events

    Sort by:
    In-Person

    Tue 18 Mar 2025 @ 09:30 AM (EET)

    CheckMates Live Greece
    CheckMates Events