Question

Trying to determined real source IP behind NAT on Checkpoint R65 Platform

Asked by: SeeMeShakinMyHead

I have 2 checkpoint R65 running in HA mode.  Normally, our firewall logs 20MB of logs in about 4-5 hours.  Lately, something has been performing ICMP requests at such a large number, that it writes a new log every 60-70 seconds.  This also triggers the non-TCP session quota (currently set at 50%) and starts blocking legitimate traffic as well.  When I look at the logs, something is natting behind the firewall performing these ICMP requests against various IP's and subnets (some don't even exist anymore).  The source IP is hidden behind the NAT, so I can't see what is the real source IP to then get to the root cause.  When I do a tcpdump -i eth4 | grep ICMP, I see the traffic, but I still only see the NAT'ed IP of the FW.  How can I find the real source IP?  By the way, I also have hundreds of networks and hosts defined on the firewall, so looking through them is like finding a needle in a haystack.  I would like to see if there is a way I can look at the NAT table at a given point.  Please advice.  If you need any questions asked to assist further, I will respond very quickly.  Thanks in advance for everyone's help.

This Question has been solved and asker verified All Experts Exchange premium technology solutions are available to subscription members.

Subscribe now for full access to Experts Exchange and get

Instant Access to this Solution

  • Plus...
  • 30 Day FREE access, no risk, no obligation
  • Collaborate with the world's top tech experts
  • Unlimited access to our exclusive solution database
  • Never be left without tech help again

Subscribe Now

Asked On
2009-08-11 at 02:50:10ID24642518
Tags

checkpoint firewall NAT

,

R65

Topics

Checkpoint Firewall

,

Linux Networking

,

Consumer Firewalls

Participating Experts
2
Points
500
Comments
7

Trusted by hundreds of thousands everyday for fast, accurate and reliable tech support.

  • "The time we save is the biggest benefit of Experts Exchange to Warner Bros. What could take multiple guys 2 hours or more each to find is accessed in around 15 minutes on Experts Exchange." Mike Kapnisakis, Warner Bros.
  • "Our team likes having a resource that is more secure than just using Google and most experts using this service really know their stuff. It's nice to look here first versus using Google." Dayna Sellner, Lockheed Martin
  • "Anytime that I've been stumped with a problem, 9 out of 10 times Experts Exchange has either the accepted solution or an open discussion of the potential solution to the problem." Kenny Red, eBay Inc.

See what Experts Exchange can do for you.

Got a question?

We've got the answer.

Experts Exchange has been collecting answers to technology questions since 1996…3 million and counting! If you have a question, chances are we already have your answer.

Screenshot of Experts Exchange Knowledgebase

Need individual assistance?

Our experts are ready to help.

If you can't find the exact answer you're looking for, ask our exclusive community of 50,000 experts. You’ll get a personalized answer from a trusted professional.

Screenshot of Experts Exchange Knowledgebase

Want to learn from the best?

Read articles from industry experts.

Thousands of free tech tips, tricks, how-to’s and tutorials are available in our peer reviewed articles section. See for yourself how smart our experts are, no login required.

Screenshot of an Article

Working on a long term project?

Store your work and research.

Save solutions to your questions, answers you’ve discovered through searching plus helpful articles in your personal knowledgebase for easy future access.

Screenshot of Experts Exchange Knowledgebase

Access the answers to your technology questions today.

Subscribe Now

30-day free trial. Register in 60 seconds.

What Makes Experts Exchange Unique?

Members of the expert community talk about why the experience at Experts Exchange is different than what you will find anywhere else.

Trusted by the world's most respected brands.

image of each brand's logo

Faithfully serving IT professionals since 1996.

Experts Exchange Logo

Try it out and discover for yourself.

Subscribe Now

30-day free trial. Register in 60 seconds.

Related Solutions

  1. Checkpoint NAT issue
    I have a Checkpoint NG fwall and another trusted site is attempting to communicate with one of my internal servers over the internet. The internal server's internal IP 192.168.1.2 is natted to an internet IP. When a tracert is performed from the trusted site to the server's i...
  2. NAT not working with Checkpoint
    Hello I am trying to get NAT working with Checkpoint and having no luck at all. This is on a test setup. Here is the scenario: client1 192.168.215.55 client2 192.168.1.50 firewall 192.168.215.80 and 192.168.1.147 All I am trying to do is ping from client1 to client 2 goin...
  3. Checkpoint FW NGX
    Hello all I have been tasked with the setup of a new checkpoint FW NGX in a VMware enviroment. The FW was install and the IP address is 10.56.1.220 We currently had a working FW, but the plan is to move the rule base to the new VMware FW. I can connect to the VMware FW no pro...
  4. checkpoint
    hi we are running checkpoint firewall and ISA. i want to allow my laptop to access the internet directly through the firewall and not use ISA. i have added my pc to a group on the firewall that has unlimited access and initialised the database but its still not working . any...
  5. What is different between static and hide mode in checkpoi…
    How can I determin using "hide" mode or "static" mode in CheckPoint firewall using NAT function.
  6. Checkpoint firewall DNS queries through NAT
    I have looked at these sites https://supportcenter.checkpoint.com/supportcenter/portal?eventSubmit_doGoviewsolutiondetails=&solutionid=sk32145&js_peid=P-114a7ba5fd7-10001&partition=null&product=VPN-1 My question is can Checkpoint firewalls do DNS rewrite lik...

Free Tech Articles

  1. WARNING: 5 Reasons why you should NEVER fix a computer for free.
    It is in our nature to love the puzzle. We are obsessed. The lot of us. We love puzzles. We love the challenge. We thrive on finding the answer. We hate disarray. It bothers us deep in our soul. W...
  2. SCCM OSD Basic troubleshooting
    SCCM 2007 OSD is a fantastic way to deploy operating systems, however, like most things SCCM issues can sometimes be difficult to resolve due to the sheer volume of logs to sift through and the dispe...
  3. Migrate Small Business Server 2003 to Exchange 2010 and Windows 2008 R2
    This guide is intended to provide step by step instructions on how to migrate from Small Business Server 2003 to Windows 2008 R2 with Exchange 2010. For this migration to work you will need the fo...
  4. Create a Win7 Gadget
    This article shows you how to create a simple "Gadget" -- a sort of mini-application supported by Windows 7 and Vista. Gadgets can be dropped anywhere on the desktop to provide instant information, ...
  5. Outlook continually prompting for username and password
    There have been a lot of questions recently regarding Outlook prompting for a username and password whilst using Exchange 2007. There are a few reasons why this would happen and I will try to cover t...
  6. Backup Exchange 2010 Information Store using Windows Backup
    There seems to be quite a lot of confusion around the ability to backup Exchange 2010 using the built in Windows Backup feature. This stems from the omission of this feature prior to Exchange 2007 s...

Cloud Class Webinars

  1. Avoiding Bugs in Microsoft Access
    Alison Balter takes and in-depth look at avoiding bugs in Access. In this webinar you will learn about using the immediate window to debug your applications, invoking the debugger, using breakpoints to troubleshoot, stepping through code, setting the next statement to execute, ...
  2. Top 10 Best New Features in Visio 2010
    Scott Helmers gives live demonstrations of the top 10 new features in Visio 2010. This webinar will teach you how to create compelling diagrams by adding shapes to the page with a single click, linking the shapes in a diagram to data in Excel (or SQL Server, or SharePoint), ...
  3. IT Consultant Business Secrets Revealed
    Michael Munger, Experts Exchange tech pro and IT consultant, pulls back the curtain on his very successful businesses and answers question on every IT consultant and business owner should know about. He shares secrets on what he did to solve the 5 most common problems in IT, ...
  4. Disaster Recovery and Business Continuity
    Quest CTO, Mike Billon, gives an overview of the steps involved in building a dunamic disaster recovery plan. Through case studies and an examination of software/hardware tooles for monitoring and testing, you'll gain a better understandin of where you are, where you want ...
  5. Organize Your Visio Diagrams with Containers and Lists
    Scott Helmers uses cross functional flowcharts, wireframe diagrams, data graphic legends and seating charts to teach you: how to ustilize all three new structured diagram components in Visio 2010, the best practices for organizeing shapes in previous version of Visio, how to organize ...
  6. How to Us Objects, Properties, Events and Methods in Microsoft Access
    Alison Dalter gives an in-depbth look at objects, properties, events and methods in Microsoft Access. In this webinar you will learn about using the object browser, referring to objects, working with properties and methods, working with object variables, understanding the ...

Join the Community

Give a Little. Get a Lot.

Join the community of experts here and help other tech pros by answering question in your area of expertise. You can earn FREE access to all Experts Exchange's premium features and resources.

Join the Community

Answers

 

by: deimarkPosted on 2009-08-11 at 08:25:46ID: 25070135

1st of all, in smartview tracker, enable the following fields in the logs:

Go to "view > query properties"
Scroll down and select "XlateDst" and XlateSrc"
Review the logs and view more info to see if the nat info is there.

If logging is caising the issue at the mo, double check to see if the lgos are created from a specific rule, if there is, then disable logging TEMPORARILY!  If its an implied rule, then turn off logging for implied rules.

The amin point is to find out who is doing this nastyness and stop them.

 

by: SeeMeShakinMyHeadPosted on 2009-08-11 at 08:31:16ID: 25070197

That's my main goal.  I'll try that and report back.

 

by: BMPTSPosted on 2009-08-11 at 20:31:18ID: 25075552

you should be able to see it in tracker, under the record XlateDst" and XlateSrc".  you can always use the "they will call method" block them from * and see who calls and says their sutuff is broken.

 

by: SeeMeShakinMyHeadPosted on 2009-08-12 at 04:18:57ID: 25077488

OK, thanks for your help so far.  I found out what was happening, and it's not good. Currently, we use BGP for our MPLS sites.  In the diagram, I have listed 3 remote sites with fictitous IP ranges (to protect the innocent) and local IPs for the main site and DMZ.  ON the firewall, I have routes to all the remote MPLS sites to route through the PIP router.  On the PIP router, there are BGP routes to all remote sites with a default gw to the firewall (for Internet access mostly).  Here's the dilema - if a BGP site goes down, that route is removed from the PIP routers and the traffic then gw's to the firewall.  Then, the firewall tries to reroute the traffic back to the PIP router and there goes the loop.  If I do a tracert to the remote site that is down, I see the traffic go to the PIP router, then to the firewall and then it dies.  If I ping the downed site, I don't get replies back.  However, while I am pinging, if I do a tcpdump - i eth4 | grep remote site IP, I get thousands of ICMP requests per second.  This, of course, starts to fill up the non-TCP connection table there goes my problem.  How on the checkpoint, can I suppress this.  Here's the catch, I can't do too much modification to this site's architecture since it's moving soon and is in shambles already - I recently inherited this architecture, so don't laugh, I didn't design it.  I am an intermediate pro at the checkpoint, so I am looking for some checkpoint expert help here.  

 

by: deimarkPosted on 2009-08-12 at 06:04:00ID: 25078264

Can you issue the following on the firewall?

fw ctl pstat

Also, under capacity optimisation on the firewall in dashboard, what is the connections table size set to?

I think the main issue is routing and not CP at this point bud but as you said, you are limited to what you can do with the architecture for now, so we will see what we can do at the CP level

 

by: SeeMeShakinMyHeadPosted on 2009-08-12 at 16:23:19ID: 25084111

The connection table for non-TCP connections is set to 80% now, it was 50%.  I hope my stripped down version of my network has helped so far.  I am sorry I haven't gotten back sooner, its been mayhem here today - Meetings and more meeting.  I will issue the fw command tomorrow and report back.  I am hoping that there is some mechanism on the CP that can stop this storm from happening.  I will also send my  tcpdump of the storm, but will have to replace the IP's with the fictitious ones as before; but will keep them congruent with my diagram.  Talk to you all tomorrow.

 

by: SeeMeShakinMyHeadPosted on 2009-08-18 at 03:52:55ID: 31614124

Since this answer did solve the first part of my dilema and did indeed answer my initial question, I am closing this question and awarding points.  The problem is checkpoint related and they are working on a solution at checkpoint engineering.  Thanks for the quick response!

20120131-EE-VQP-002

3 Ways to Join

30-Day Free Trial

The Experts

98% positive feedback on 31,087 answers since March 2000. angeliii is a Microsoft Most Valuable Professional for his work with MS SQL Server & Develoment.

He has also proven his knowledge of Visual Basic Programming, PHP Scripting and Oracle Databases.

The Experts

97% positive feedback on 10,752 answers since July 2000. lrmoore has more than 18 years experience in the networking industry.

The six-time Mircosoft MVPs specialties include firewalls, virtual private networking, and network management.

Testimonials

"...and excellent source for support... Kind of like having your very own IT dept." Electriciansnet

Testimonials

"I was apprehensive at signing up at first. However... it has already made my life as an IT administrator much easier." JaCrews

Testimonials

"WOW! You guys have great, active, and knowledgeable people on here." moore50

Business Clients

Business Clients

In the Press

"If you’ve got a question... Experts Exchange can supply an answer.”

In the Press

"...an invaluable aid for both IT professionals and those who require tech support."

In the Press

"where IT professionals provide quick answers on just about any topic"

Business Account Plans

Loading Advertisement...