- Products
- Learn
- Local User Groups
- Partners
- More
Check Point Jump-Start Online Training
Now Available on CheckMates for Beginners!
Why do Hackers Love IoT Devices so Much?
Join our TechTalk on Aug 17, at 5PM CET | 11AM EST
Welcome to Maestro Masters!
Talk to Masters, Engage with Masters, Be a Maestro Master!
ZTNA Buyer’s Guide
Zero Trust essentials for your most valuable assets
The SMB Cyber Master
Boost your knowledge on Quantum Spark SMB gateways!
As YOU DESERVE THE BEST SECURITY
Upgrade to our latest GA Jumbo
CheckFlix!
All Videos In One Space
Hi
The customer's equipment was changed from SG23800 to SG6900 equipment.
Versions are R80.20 to R80.40.
And a 10Gbps add-on module is inserted.
- Line card 1 model: CPAC-4-10F-C
- Line card 1 type: 4 ports 1/10GbE SFP+ Rev 4.0
the customer company consists only of an external interface and an internal interface, and it is VRRP.
As for the issue, when Bypass mode is activated in the DDOS device above the Check Point firewall, the firewall will be in the following state.
FW_A, External Interface = Master / Internal Interface = Master
FW_B, External Interface = Backup / Internal Interface = Master
We tested the internal interface by directly connecting the firewall to each other, but the results were the same, and we also confirmed that the hello packet was sent normally.
However, SG23800 configured with R80.40 and tested with the same hotfix, but no symptoms occurred.
Also, when I test the UTP which is onboard on the SG6900, the symptoms do not occur.
I suspect it is a driver firmware issue that appears when an additional module is inserted into the SG6900 or quantum device.
Have you ever experienced or resolved the same symptoms as me?
Currently, I am in the process of opening a case.
PS. R80.40 has been tested from No Hotfix to the latest ongoing hotfix.
Please confirm the following...
* Which JHF version for R80.40?
* VLANs or Physical interfaces?
* Must configure firewall rule to accept VRRP packets sent from VRRP routers to multicast IP address 224.0.0.18.
* When using VRRP VMAC mode, both spanning tree and IGMP snooping must be disabled to avoid split brain.
thank you for the reply.
However, we configured and tested the same internally,
and the interface at the bottom of the firewall was directly connected to each other, but the same problem occurred.
It doesn't appear to be a switch issue in my opinion.
I Think This is an obvious bug.
Please report the case to TAC for assistance, note certain NIC card versions were only "supported" from JHF T139 GA but this doesn't appear to apply in your case.
PRJ-26926, PMTR-69753 |
Gaia OS | NEW: Added support for new card 4 ports 1/10GbE SFP+ Rev 4.1. |
Hi
It might help you resolve this issue if you are using "VMAC mode: VRRP".
# ethtool --set-priv-flags ethX disable-source-pruning on
I also had a similar issue.
In my lab it occured when I used the interface card "CPAC-4-10F-C" and the driver "i40e" and "VMAC mode: VRRP" on the interface card.
About CheckMates
Learn Check Point
Advanced Learning
YOU DESERVE THE BEST SECURITY