This website uses Cookies. Click Accept to agree to our website's cookie use as described in our Privacy Policy. Click Preferences to customize your cookie settings.
Accept
Reject
Preferences
ABOUT CHECKMATES CYBER SECURITY COMMUNITY & FAQ
Create a Post
Help
cancel
Turn on suggestions
Showing results for 
Search instead for 
Did you mean: 

Are you a member of CheckMates?

×
Sign in with your Check Point UserCenter/PartnerMap account to access more great content and get a chance to win some Apple AirPods! If you don't have an account, create one now for free!
saitoh
Collaborator
‎2024-11-21 01:52 AM
Jump to solution

icmp timeouts with PRB

Hi all,

 

I hesitate to ask this because I think this is quite elementary, but I need a bit of explanation.

I am testing how policy based routing works in CP, wanting to make CP route packets to eth0 or eth2, according to what a certain packet is.

The environment as follows.

image.png

FortiGate has allow-all policy, no UTM activated.

GW1, 2 play role of cluster of ClusterXL.

image.png

Here eth1 is in trusted zone, eth0, eth2 untrusted.

Default route is set on eth0, and only HTTPS to FGT's external IP (10.11.124.1) goes to eth2 by policy based routing.

 

The test above was successful.

I made changes to routing policy for only ICMP to go through eth2, which failed due to timeouts.

I am not experienced enough to understand what is happening.

 

I believe this is quite basic networking topic, not the one of CP...

I feel sorry to ask this stupid question, but your comments would be highly appreciated.

 

Saitoh

sliver bullet: casting repero or tossing it into the harbor
0 Kudos
1 Solution

Accepted Solutions
saitoh
Collaborator
‎2024-11-25 12:17 AM
Jump to solution

Dear @Lesley , and @Chris_Atkinson ,

 

I solved the issue, which is about misconfig on FortiGate, nothing wrong with CP.

Thanks for your time, and input!

 

Saitoh

sliver bullet: casting repero or tossing it into the harbor

View solution in original post

9 Replies
Chris_Atkinson
Employee Employee
Employee
‎2024-11-21 03:22 AM
Jump to solution

What is the source & destination IP addresses of your test traffic?

(Note a limitation is that traffic originated from the gateway itself is not subject to PBR per sk167135).

CCSM R77/R80/ELITE
0 Kudos
saitoh
Collaborator
‎2024-11-24 09:55 PM
In response to Chris_Atkinson
Jump to solution

Hi @Chris_Atkinson ,

Thanks for your comment.

I tested ICMP routing from WindowsVM (10.31.10.1) to FortiGate external (10.11.124.1).

I configured PBR policy for CP to pick up ICMP traffic only from WindowsVM to FGT external and send it through eth2.

It goes through without any mishaps when I delete the policy of PBR, so I assume PBR matters in this occasion.

 

Saitoh

sliver bullet: casting repero or tossing it into the harbor
0 Kudos
Lesley
Mentor Mentor
Mentor
‎2024-11-21 11:29 AM
Jump to solution

Do you have something configured like

 static-route {...} ping {off | on}?

gateway can use ping to monitor gateways. Maybe this options influences your test with ping? 

https://sc1.checkpoint.com/documents/R81/WebAdminGuides/EN/CP_R81_Gaia_Advanced_Routing_AdminGuide/T...

-------
If you like this post please give a thumbs up(kudo)! 🙂
0 Kudos
saitoh
Collaborator
‎2024-11-24 10:17 PM
In response to Lesley
Jump to solution

Hi @Lesley ,

Thanks for your comments.

I checked out monitored IPs settings in PBR, but no IP is set to be monitored.

When I deleted PBR settings ping goes successful, so some point in PBR setting matters, as you mentioned, I guess.

 

Saitoh

 

sliver bullet: casting repero or tossing it into the harbor
0 Kudos
the_rock
Legend
Legend
‎2024-11-21 11:37 AM
Jump to solution

No issues man, we are here to help. What do you see if you do basic capture? Do the logs show anything?

Andy

0 Kudos
saitoh
Collaborator
‎2024-11-24 10:01 PM
In response to the_rock
Jump to solution

Hi @the_rock ,

I appreciate your comments.

I captured packets at three points (Windows vNIC, CP's eth1, FortiGate's internal), only to find ICMP request from 10.31.10.1 (WindowsVM).

Your comment makes me notice I did not capture it at FortiGate's external.

I am going to do it and post the results.

The log of CP tells me that it allows ICMP request, but ICMP reply is nowhere to be found.

 

Saitoh

sliver bullet: casting repero or tossing it into the harbor
0 Kudos
saitoh
Collaborator
‎2024-11-25 12:16 AM
In response to saitoh
Jump to solution

I took packet at 10.11.124.1, and found FGT actually replies nothing, while it passes that packet from receiving port to destination port.

 

However, its debug log associated with routing shows FGT drops reply packet during route decision process.

Its policy is Src;Any, Dst:Any, Service:Any, Always at the top, so there is no mistake in policy hit.

I start to guess I misconfigured FGT's static routing, which was below.

To 10.31.10.0/25,

Gateway port2 (leading to CP's eth0) Distance 10

Gateway port3 (leading to CP's eth2) Distance 11

 

Port3 route is meant to be passive route even though I believe the route does not appear in routing table.

I guess this is not causing trouble because I thought in route decision session existence came in first.

I tried changing it as they have same AD, and things started going right!

Looks like kernel routing table should have active route through port3.

 

I am relieved to know I misunderstood FGT, not CP!

Many thanks for your help.

 

Saitoh

sliver bullet: casting repero or tossing it into the harbor
0 Kudos
saitoh
Collaborator
‎2024-11-25 12:17 AM
Jump to solution

Dear @Lesley , and @Chris_Atkinson ,

 

I solved the issue, which is about misconfig on FortiGate, nothing wrong with CP.

Thanks for your time, and input!

 

Saitoh

sliver bullet: casting repero or tossing it into the harbor

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

View All ≫
Upcoming Events

    Sort by:
    CheckMates Events
    Top