This website uses Cookies. Click Accept to agree to our website's cookie use as described in our Privacy Policy. Click Preferences to customize your cookie settings.
Accept
Reject
Preferences
ABOUT CHECKMATES & FAQ
Create a Post
Help
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

Are you a member of CheckMates?

×
Sign in with your Check Point UserCenter/PartnerMap account to access more great content and get a chance to win some Apple AirPods! If you don't have an account, create one now for free!
Alex-
Advisor
Advisor
‎2020-11-09 08:23 AM

Firewall 1590 SMB disconnected from Smart-1 Cloud after interface change

I have a new infrastructure setup on Smart-1 Cloud based on 1590 SMB firewalls. They have the standard topology of WAN interface connected to the public IP space, and local interface with private addresses. They run R80.20.10.1433

One of these firewalls was running a LAN interface whose subnet was decommissioned and as such shutdown on the firewall.

As soon as this happened, the firewall got disconnected status in Smart-1 Cloud Console and traffic would stop from the FW itself on the public interface, short of a "fw unloadlocal" obtained through SSH via one of the LAN interfaces. At that point I could see the firewall was reporting SIC trust when checking on the SMB Security Management page, but on the R80.40 cloud instance, the SIC was lost. When I reset it on both sides, the same behaviour would happen again at policy push (I removed the shutdown interface from the topology). The box was rebooted and even upgraded to R80.20.10.1491 but no luck either. A policy push would either timeout or got in "suspended waiting for system to respond". Then when the policy got pushed after a fw unloadlocal, the SIC would be lost on the Smart-1 but shown as OK on the SMB.

Finally, because that was obviously impacting the customer, I had to think quick and decided at last resort to delete the object in the Infinity Portal and Smart-1 Cloud and recreate it in both and there everything started to work again.

As I was in service restoration mode, I didn't have much time to go to the bottom of things, I did some local logs check and fw ctl zdebug drops, but since it's a new service I wonder if I should have done anything specific when removing a backend LAN interface? To be complete, I deactivated it on the web GUI of the SMB and it was completely on the private side, the WAN interface is running on its dedicated port and has directly the public IP.

0 Kudos
1 Reply
Anat_Eytan-Davi
Employee Alumnus
Employee Alumnus
‎2020-11-09 11:10 PM

Hi Alex,

thank you for reaching out, I want RnD to have a look and advise if you should have done something differently.

let's continue the investigation offline and will update the thread once we have a recommendation.

Thanks,

Anat.

0 Kudos

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

View All ≫
Upcoming Events

    CheckMates Events