Hi All,
I need some help with fw monitor output. (R80.20 gaia T47)
Our GRE/SIP communication doesn't work, and as you can see below, the last captured packet was stopped in pre-outbound (o4) chain position. It is the tunnel-inside traffic.
We have bidirectional rules between peers without NAT.
Could you please somebody explain what caused this behavior?
Here is also the relevant wireshark capture:
There are many articles/ cheat sheets ,etc. about how fw monitor is working, but i cant find any information about the output interpretation...
in chain (14):
0: -7fffffff (0000000000000000) (00000000) SecureXL inbound (sxl_in)
1: -7ffffffe (0000000000000000) (00000000) SecureXL inbound CT (sxl_ct)
2: -7f800000 (ffffffff8a32eb80) (ffffffff) IP Options Strip (in) (ipopt_strip)
3: - 1fffff8 (ffffffff8a32c9b0) (00000001) Stateless verifications (in) (asm)
4: - 1fffff7 (ffffffff8a32c4d0) (00000001) fw multik misc proto forwarding
5: - 1fffff5 (ffffffff8a3e2ec0) (00000001) fw early SIP NAT (sipnat)
6: 0 (ffffffff8a48cc10) (00000001) fw VM inbound (fw)
7: 2 (ffffffff8a32efd0) (00000001) fw SCV inbound (scv)
8: 5 (ffffffff8a21a4d0) (00000003) fw offload inbound (offload_in)
9: 10 (ffffffff8a47eca0) (00000001) fw post VM inbound (post_vm)
10: 7f730000 (ffffffff89ffc520) (00000001) passive streaming (in) (pass_str)
11: 7f750000 (ffffffff89c8c7d0) (00000001) TCP streaming (in) (cpas)
12: 7f800000 (ffffffff8a32eb30) (ffffffff) IP Options Restore (in) (ipopt_res)
13: 7fb00000 (ffffffff89628750) (00000001) Cluster Late Correction (ha_for)
out chain (11):
0: -7f800000 (ffffffff8a32eb80) (ffffffff) IP Options Strip (out) (ipopt_strip)
1: - 1fffff0 (ffffffff89c76dd0) (00000001) TCP streaming (out) (cpas)
2: - 1ffff50 (ffffffff89ffc520) (00000001) passive streaming (out) (pass_str)
3: - 1f00000 (ffffffff8a32c9b0) (00000001) Stateless verifications (out) (asm)
4: 0 (ffffffff8a48cc10) (00000001) fw VM outbound (fw)
5: 10 (ffffffff8a47eca0) (00000001) fw post VM outbound (post_vm)
6: 18000000 (ffffffff89f28210) (00000001) fw record data outbound
7: 7f700000 (ffffffff89c8b2f0) (00000001) TCP streaming post VM (cpas)
8: 7f800000 (ffffffff8a32eb30) (ffffffff) IP Options Restore (out) (ipopt_res)
9: 7f900000 (0000000000000000) (00000000) SecureXL outbound (sxl_out)
10: 7fa00000 (0000000000000000) (00000000) SecureXL deliver (sxl_deliver)
monitor: monitoring (control-C to stop)
**********
outside traffic:
[vs_0][fw_2] bond2.654:i2 (IP Options Strip (in))[448]: 10.42.14.60 -> 10.7.8.4 (47) len=448 id=62203
[vs_0][fw_2] bond2.654:i3 (Stateless verifications (in))[448]: 10.42.14.60 -> 10.7.8.4 (47) len=448 id=62203
[vs_0][fw_2] bond2.654:i4 (fw multik misc proto forwarding)[448]: 10.42.14.60 -> 10.7.8.4 (47) len=448 id=62203
[vs_0][fw_2] bond2.654:i5 (fw early SIP NAT)[448]: 10.42.14.60 -> 10.7.8.4 (47) len=448 id=62203
[vs_0][fw_2] bond2.654:i6 (fw VM inbound )[448]: 10.42.14.60 -> 10.7.8.4 (47) len=448 id=62203
[vs_0][fw_2] bond2.654:I7 (fw SCV inbound)[448]: 10.42.14.60 -> 10.7.8.4 (47) len=448 id=62203
[vs_0][fw_2] bond2.654:I8 (fw offload inbound)[448]: 10.42.14.60 -> 10.7.8.4 (47) len=448 id=62203
[vs_0][fw_2] bond2.654:I9 (fw post VM inbound )[448]: 10.42.14.60 -> 10.7.8.4 (47) len=448 id=62203
[vs_0][fw_2] bond2.654:I10 (passive streaming (in))[448]: 10.42.14.60 -> 10.7.8.4 (47) len=448 id=62203
[vs_0][fw_2] bond2.654:I11 (TCP streaming (in))[448]: 10.42.14.60 -> 10.7.8.4 (47) len=448 id=62203
[vs_0][fw_2] bond2.654:I12 (IP Options Restore (in))[448]: 10.42.14.60 -> 10.7.8.4 (47) len=448 id=62203
[vs_0][fw_2] bond2.654:I13 (Cluster Late Correction)[448]: 10.42.14.60 -> 10.7.8.4 (47) len=448 id=62203
[vs_0][fw_2] bond2.654:I14 (Chain End)[448]: 10.42.14.60 -> 10.7.8.4 (47) len=448 id=62203
[vs_0][fw_2] bond1.509:o0 (IP Options Strip (out))[448]: 10.42.14.60 -> 10.7.8.4 (47) len=448 id=62203
[vs_0][fw_2] bond1.509:o1 (TCP streaming (out))[448]: 10.42.14.60 -> 10.7.8.4 (47) len=448 id=62203
[vs_0][fw_2] bond1.509:o2 (passive streaming (out))[448]: 10.42.14.60 -> 10.7.8.4 (47) len=448 id=62203
[vs_0][fw_2] bond1.509:o3 (Stateless verifications (out))[448]: 10.42.14.60 -> 10.7.8.4 (47) len=448 id=62203
[vs_0][fw_2] bond1.509:o4 (fw VM outbound)[448]: 10.42.14.60 -> 10.7.8.4 (47) len=448 id=62203
*********************outside traffic was stopped in 04 position
inside traffic:
[vs_0][fw_2] bond1.509:i2 (IP Options Strip (in))[441]: 10.7.8.4 -> 10.42.14.60 (47) len=441 id=958
[vs_0][fw_2] bond1.509:i3 (Stateless verifications (in))[441]: 10.7.8.4 -> 10.42.14.60 (47) len=441 id=958
[vs_0][fw_2] bond1.509:i4 (fw multik misc proto forwarding)[441]: 10.7.8.4 -> 10.42.14.60 (47) len=441 id=958
[vs_0][fw_2] bond1.509:i5 (fw early SIP NAT)[441]: 10.7.8.4 -> 10.42.14.60 (47) len=441 id=958
[vs_0][fw_2] bond1.509:i6 (fw VM inbound )[441]: 10.7.8.4 -> 10.42.14.60 (47) len=441 id=958
[vs_0][fw_2] bond2.654:i2 (IP Options Strip (in))[444]: 10.42.14.60 -> 10.7.8.4 (47) len=444 id=62204
[vs_0][fw_2] bond2.654:i3 (Stateless verifications (in))[444]: 10.42.14.60 -> 10.7.8.4 (47) len=444 id=62204
[vs_0][fw_2] bond2.654:i4 (fw multik misc proto forwarding)[444]: 10.42.14.60 -> 10.7.8.4 (47) len=444 id=62204
[vs_0][fw_2] bond2.654:i5 (fw early SIP NAT)[444]: 10.42.14.60 -> 10.7.8.4 (47) len=444 id=62204
[vs_0][fw_2] bond2.654:i6 (fw VM inbound )[444]: 10.42.14.60 -> 10.7.8.4 (47) len=444 id=62204
[vs_0][fw_2] bond2.654:I7 (fw SCV inbound)[444]: 10.42.14.60 -> 10.7.8.4 (47) len=444 id=62204
[vs_0][fw_2] bond2.654:I8 (fw offload inbound)[444]: 10.42.14.60 -> 10.7.8.4 (47) len=444 id=62204
[vs_0][fw_2] bond2.654:I9 (fw post VM inbound )[444]: 10.42.14.60 -> 10.7.8.4 (47) len=444 id=62204
[vs_0][fw_2] bond2.654:I10 (passive streaming (in))[444]: 10.42.14.60 -> 10.7.8.4 (47) len=444 id=62204
[vs_0][fw_2] bond2.654:I11 (TCP streaming (in))[444]: 10.42.14.60 -> 10.7.8.4 (47) len=444 id=62204
[vs_0][fw_2] bond2.654:I12 (IP Options Restore (in))[444]: 10.42.14.60 -> 10.7.8.4 (47) len=444 id=62204
[vs_0][fw_2] bond2.654:I13 (Cluster Late Correction)[444]: 10.42.14.60 -> 10.7.8.4 (47) len=444 id=62204
[vs_0][fw_2] bond2.654:I14 (Chain End)[444]: 10.42.14.60 -> 10.7.8.4 (47) len=444 id=62204
[vs_0][fw_2] bond1.509:o0 (IP Options Strip (out))[444]: 10.42.14.60 -> 10.7.8.4 (47) len=444 id=62204
[vs_0][fw_2] bond1.509:o1 (TCP streaming (out))[444]: 10.42.14.60 -> 10.7.8.4 (47) len=444 id=62204
[vs_0][fw_2] bond1.509:o2 (passive streaming (out))[444]: 10.42.14.60 -> 10.7.8.4 (47) len=444 id=62204
[vs_0][fw_2] bond1.509:o3 (Stateless verifications (out))[444]: 10.42.14.60 -> 10.7.8.4 (47) len=444 id=62204
[vs_0][fw_2] bond1.509:o4 (fw VM outbound)[444]: 10.42.14.60 -> 10.7.8.4 (47) len=444 id=62204
Many thanks,
Norbert
| User | Count |
|---|---|
| 29 | |
| 22 | |
| 19 | |
| 12 | |
| 11 | |
| 9 | |
| 9 | |
| 8 | |
| 6 | |
| 6 |
Mon 25 Nov 2024 @ 02:00 PM (EST)
(Americas) AI Series Part 3: Maximizing AI to Drive Growth and EfficiencyTue 26 Nov 2024 @ 10:00 AM (CET)
EMEA Session: Automated Collaborative Prevention with 3rd Party Endpoint SolutionsTue 26 Nov 2024 @ 03:00 PM (CET)
Navigating NIS2: Practical Steps for Aligning Security and ComplianceTue 26 Nov 2024 @ 05:00 PM (CET)
Discover the Future of Cyber Security: What’s New in Check Point’s Quantum R82Tue 03 Dec 2024 @ 10:00 AM (GMT)
UK Community CNAPP Training Day 1: Cloud Risk Management WorkshopTue 03 Dec 2024 @ 05:00 PM (CET)
Americas CM Session: Automated Collaborative Prevention with 3rd Party Endpoint SolutionsMon 25 Nov 2024 @ 02:00 PM (EST)
(Americas) AI Series Part 3: Maximizing AI to Drive Growth and EfficiencyTue 26 Nov 2024 @ 10:00 AM (CET)
EMEA Session: Automated Collaborative Prevention with 3rd Party Endpoint SolutionsTue 26 Nov 2024 @ 03:00 PM (CET)
Navigating NIS2: Practical Steps for Aligning Security and ComplianceTue 26 Nov 2024 @ 05:00 PM (CET)
Discover the Future of Cyber Security: What’s New in Check Point’s Quantum R82Tue 03 Dec 2024 @ 05:00 PM (CET)
Americas CM Session: Automated Collaborative Prevention with 3rd Party Endpoint SolutionsTue 03 Dec 2024 @ 10:00 AM (GMT)
UK Community CNAPP Training Day 1: Cloud Risk Management WorkshopWed 04 Dec 2024 @ 10:00 AM (GMT)
UK Community CNAPP Training Day 2: Cloud Risk Management Workshop
