Create a Post
cancel
Showing results for 
Search instead for 
Did you mean: 
buridango
Explorer
Jump to solution

No access to Internet

Hello, Everyone!

 

I have an issue with Check Point Security Gateway R80.10. Clients cannot access Internet resources (for example http/https web-pages), though they can ping External IPs and DNS (8.8.8.8 and google.com). I have default access policy as accept all, threat prevention policy is disabled, Automatic NAT. Looking for help to resolve this issue. For http/https traffic log shows accept, check screenshots below, thanks in advance.

 

1.JPG2.JPG3.JPG4.JPG

0 Kudos
1 Solution

Accepted Solutions
Timothy_Hall
Champion
Champion

If ping works but nothing else, it usually means other traffic is being denied by your APCL/URLF layer.  Ping is not an application (and need only match a rule in the Network/Firewall policy layer) but practically everything else including DNS is.  Click the Matched Rules tab on your log card.

Beyond that run fw ctl zdebug drop and try to pass some traffic.  If you don't see a drop in that output it is a routing (or possibly NAT) issue of some kind.

Gateway Performance Optimization R81.20 Course
now available at maxpowerfirewalls.com

View solution in original post

0 Kudos
7 Replies
Timothy_Hall
Champion
Champion

If ping works but nothing else, it usually means other traffic is being denied by your APCL/URLF layer.  Ping is not an application (and need only match a rule in the Network/Firewall policy layer) but practically everything else including DNS is.  Click the Matched Rules tab on your log card.

Beyond that run fw ctl zdebug drop and try to pass some traffic.  If you don't see a drop in that output it is a routing (or possibly NAT) issue of some kind.

Gateway Performance Optimization R81.20 Course
now available at maxpowerfirewalls.com
0 Kudos
Maarten_Sjouw
Champion
Champion

Or a little bit more important they cannot do DNS... try to ping www.google.com and see if it resolves.

Regards, Maarten
0 Kudos
buridango
Explorer

Thanks for Reply.

 

As I mentioned earlier, icmp available by IP and DNS, so this is not a problem.

0 Kudos
buridango
Explorer

Thanks for Reply, Timothy

I issued command fw ctl zdebug drop and there drops fom one address subnet I don't have:


;[cpu_3];[fw4_0];fw_log_drop_ex: Packet proto=6 178.34.109.191:10400 -> 173.194.73.95:443 dropped by cphwd_offload_connkey Reason: VPN and/or NAT traffic between accelerated and non-accelerated interfaces or between non-accelerated interfaces is not allowed;
;[cpu_3];[fw4_0];fw_log_drop_ex: Packet proto=6 178.34.109.191:10401 -> 108.177.14.101:443 dropped by cphwd_offload_connkey Reason: VPN and/or NAT traffic between accelerated and non-accelerated interfaces or between non-accelerated interfaces is not allowed;
;[cpu_3];[fw4_0];fw_log_drop_ex: Packet proto=6 178.34.109.191:10399 -> 162.159.129.233:443 dropped by cphwd_offload_connkey Reason: VPN and/or NAT traffic between accelerated and non-accelerated interfaces or between non-accelerated interfaces is not allowed;
;[cpu_3];[fw4_0];fw_log_drop_ex: Packet proto=6 178.34.109.191:10400 -> 173.194.73.95:443 dropped by cphwd_offload_connkey Reason: VPN and/or NAT traffic between accelerated and non-accelerated interfaces or between non-accelerated interfaces is not allowed;
;[cpu_3];[fw4_0];fw_log_drop_ex: Packet proto=6 178.34.109.191:10402 -> 35.186.224.47:443 dropped by cphwd_offload_connkey Reason: VPN and/or NAT traffic between accelerated and non-accelerated interfaces or between non-accelerated interfaces is not allowed;
;[cpu_3];[fw4_0];fw_log_drop_ex: Packet proto=6 178.34.109.191:10396 -> 173.194.73.95:443 dropped by cphwd_offload_connkey Reason: VPN and/or NAT traffic between accelerated and non-accelerated interfaces or between non-accelerated interfaces is not allowed;
Defaulting all kernel debugging options

 

Here tab matched rules

5.JPG

0 Kudos
buridango
Explorer

Okay, I found solution. I have PPPoE and Checkpoint has something called SecureXL wich is in conflict, I disabled and everything is working now.

0 Kudos
PhoneBoy
Admin
Admin

In R80.20+, disabling SecureXL isn’t required.
More specifically, SecureXL will automatically not accelerate PPPoE interfaces without requiring you to disable SecureXL entirely.

0 Kudos
_Val_
Admin
Admin

In fact, you cannot completely disable SXL in R80.20+ anymore

0 Kudos

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

Upcoming Events

    CheckMates Events