Link to home
Start Free TrialLog in
Avatar of kmpez
kmpez

asked on

Traffic randomly is not passing through Checkpoint Firewall Cluster

We have a configuration of two Checkpoint Firewall configured in Cluster XL Unicast mode, using two Sun V245 Servers.
The issue we have is that at not specific intervals or periods, the not-pivot cluster member stops passing traffic (we have mainly observed it on http & https, but could be additional protocols).
The problems seems not related to load or connections limit, since it is happening even when firewalls are under low utilization.
We have tried the following:
change the pivot cluster member - the issue continued happen with the not-pivot member
perform cpstop on the not-pivot member - the issue happened on the pivot member
After a lot of searching we have identified the following:
running fw monitor we have observed that the traffic does not pass from all four stages ( i,I,o and O) but instead it is seen only on the first stage (i). When we don't have that issue the taffic is seen always passing from all four stages in fw monitor.
A similar case was mentioned in this link:
http://www.cpug.org/forums/nokia-ipso/6803-nokia-ipso-4-1-build-40-ngx-r65-hfa_02-a.html
but no solution is recorded.
Any help would be much appreciated.
Avatar of grimkin
grimkin
Flag of United Kingdom of Great Britain and Northern Ireland image

If you run the fw monitor with the "-p all" switch then you will get all stages, not just i,I,o and O - you can then map these against the specific stages for your machine (which you can identify using the command "fw ctl chain" command).

This may throw a bit of light on exactly where they are failing as you can see which module it is stopping at, e.g. if your packets dont get past i3 then you would look for problems with vpn decryption. An example chain looks like:

in chain (11):
      0: -7f800000 (a0973cd8) IP Options Strip (ipopt_strip)
      1: - 2000000 (a0e4cf80) vpn decrypt (vpn)
      2: - 1fffff8 (a0e50d54) l2tp inbound (l2tp)
      3: - 1fffff6 (a097488c) Stateless verifications (asm)
      4: - 1fffff0 (a0e4ca90) vpn decrypt verify (vpn_ver)
      5: - 1000000 (a098a66c) SecureXL conn sync (secxl_sync)
      6:         0 (a093eae8) fw VM inbound  (fw)
      7:   2000000 (a0e4dfe0) vpn policy inbound (vpn_pol)
      8:  10000000 (a098a800) SecureXL inbound (secxl)
      9:  7f600000 (a096f950) fw SCV inbound (scv)
      10:  7f800000 (a0973f24) IP Options Restore (ipopt_res)
out chain (9):
      0: -7f800000 (a0973cd8) IP Options Strip (ipopt_strip)
      1: - 1ffffff (a0e4c99c) vpn nat outbound (vpn_nat)
      2: - 1f00000 (a097488c) Stateless verifications (asm)
      3:         0 (a093eae8) fw VM outbound (fw)
      4:   2000000 (a0e4db70) vpn policy outbound (vpn_pol)
      5:  10000000 (a098a800) SecureXL outbound (secxl)
      6:  1ffffff0 (a0e512fc) l2tp outbound (l2tp)
      7:  20000000 (a0e4d494) vpn encrypt (vpn)
      8:  7f800000 (a0973f24) IP Options Restore (ipopt_res)
Do you have by chance URL -filtering on this box enabled ?
Not specific to Cluster I have had a client that out of sudden http/https browsing stopped
completely , no errors in Tracker, no nothing. And in fw monitor exactly the same - traffic comes to FW
but then mysteriously disappears.  The moment I disabled URL filtering all returned to normal.
As client wasnt interested to debug it further I left it as it was.
PS SInce then the 1st thing I do when debugging weird problems on the box with Messaging Security
is turn it off, the goes normal debug...
Avatar of kmpez
kmpez

ASKER

Dear grimkin,
this is the next debugging we have scheduled to do when the issue reappears.
In fast I plan using the "fw monitor -pi pos" in order to limit firewall resources usage, cause all these systems are critical.
If I don't get the information I want I migth increase the debugging level.

Dear yurisk,
can you be more specific? We have completely disabled the SmartDefense on the cluster. Are you aware of any URL_filtering configuration on the Checkpoint Firewalls? If yes, how is it configured? If you have in mind a third party plugin, then this is not the case, since no third party plugins are installed on the clusters. In addition we are not sure if the blocked traffic is only http/https.

Thank you for your replies.
I am very much interested to know if anyone else has faced similar issues with Checkpoint Firewalls and what was the solution.
Regards,
The URL filtering I am referring to is found in SmartDashboard under the tab Content Inspection -
if you dont have such tab you dont have this filtering. Messaging security (Antospam/Antivirus/etc)  is (relatively) new add-on of Checkpoint themselves to R65 (an update you have to apply to R65) , so if you didnt do it it should not bother you.   SmartDefense is somethnig different and not connected to it.
Avatar of kmpez

ASKER

Dear yurisk,
the Web Filtering policy is on, but it is not enforced on any gateway. The message displayed next to the Enforcing Gateways button is:
Note: No gateways are currently enforcing the Web Filtering policy.
and of course no Gateways are selected in the Web Filtering Enforcing Gateways.
The strange thing is that the Solaris Checkpoint Cluster is not displayed in the list of Gateways that can enforce this policy (instead only the SPLAT clusters are displayed).
Anyway this does not seem to be related in any way.
Thanks for your concern.
Regards.
ASKER CERTIFIED SOLUTION
Avatar of kmpez
kmpez

Link to home
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
Start Free Trial