This website uses Cookies. Click Accept to agree to our website's cookie use as described in our Privacy Policy. Click Preferences to customize your cookie settings.
Accept
Reject
Preferences
ABOUT CHECKMATES CYBER SECURITY COMMUNITY & FAQ
Create a Post
Help
cancel
Turn on suggestions
Showing results for 
Search instead for 
Did you mean: 

Are you a member of CheckMates?

×
Sign in with your Check Point UserCenter/PartnerMap account to access more great content and get a chance to win some Apple AirPods! If you don't have an account, create one now for free!
Moudar
Advisor
‎2024-07-11 02:55 AM
Jump to solution

weird behaviour

Hi

I'm curious about the routing logic for this traffic. Can you take a look at the attached image? There appear to be three green logs relevant to the issue.

 
 

log12.JPG

I wonder why the traffic would be sent like that (not inside tunnel) !

the first: accept by network rule and URL rule.

accept-log.JPG

the second: accept by network rule but URL, CPNotEnoughDataForRuleMatch!

accept-log2.JPG

the third: same as the second, and then it does as it configured to do through tunnel!

10.80.91 is an internal server in central office 192.168.3.11 is a printer in branch office

Why is that happening?

0 Kudos
1 Solution

Accepted Solutions
PhoneBoy
Admin
Admin
‎2024-07-11 10:12 AM
Jump to solution

The CPNotEnoughDataForRuleMatch log suggests the first "Possible Match" rule in your URL and App Policy involves App Control.
This message pops up because the connection terminated before the system could identify what application it was.
I would strongly suggest adding a rule at/near the top that allows the required traffic only by a simple TCP service.

View solution in original post

0 Kudos
9 Replies
Lesley
Mentor Mentor
Mentor
‎2024-07-11 03:48 AM
Jump to solution

Both tcp ports do not work 9090 and 9091? Does any traffic work at all between 10.80.91 and 192.168.3.11?

-------
If you like this post please give a thumbs up(kudo)! 🙂
0 Kudos
Moudar
Advisor
‎2024-07-11 04:29 AM
In response to Lesley
Jump to solution

Some traffic is going between these, print server and a printer. Server is trying to add the printer but fails!

How do you see that these ports do not work?

I could find these logs:

log4.JPG

0 Kudos
Moudar
Advisor
‎2024-07-11 05:52 AM
In response to the_rock
Jump to solution

So, if i suspect ra routing loop, how to investiagte that?

0 Kudos
Lesley
Mentor Mentor
Mentor
‎2024-07-11 05:54 AM
In response to Moudar
Jump to solution

tcpdump is the friend you need in this case 🙂 

Or check routing table of fw, and check routing table of next hop. Compare them.

If they point the network to each other you have loop. 

-------
If you like this post please give a thumbs up(kudo)! 🙂
the_rock
Legend
Legend
‎2024-07-11 05:58 AM
In response to Moudar
Jump to solution

tcpdump, fw monitor

My colleague made this site ages ago, its super helpful.

Andy

https://tcpdump101.com/

 

 

0 Kudos
PhoneBoy
Admin
Admin
‎2024-07-11 10:12 AM
Jump to solution

The CPNotEnoughDataForRuleMatch log suggests the first "Possible Match" rule in your URL and App Policy involves App Control.
This message pops up because the connection terminated before the system could identify what application it was.
I would strongly suggest adding a rule at/near the top that allows the required traffic only by a simple TCP service.

0 Kudos
CheckPointerXL
Advisor
Advisor
‎2024-07-24 01:43 PM
In response to PhoneBoy
Jump to solution

What PhoneBoy suggested is the solution

I strongly suggest to use URLF/APPC blade only inside inline layers well organized

0 Kudos
Bob_Zimmerman
Authority
Authority
‎2024-07-25 07:04 AM
In response to PhoneBoy
Jump to solution

Note that if you have a rule using an application object instead of a plain TCP service object, and you test the connection with telnet, netcat, Test-NetConnection, and so on, you will get this CPNotEnoughDataForRuleMatch "Connection terminated before the Security Gateway was able to make a decision" message. These tools don't send actual application traffic, so the firewall can't be sure the traffic actually is the application you have specified in the rule.

0 Kudos

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

View All ≫
Upcoming Events

    Sort by:
    CheckMates Events
    li.common.scroll-to.top