?
Solved

Traffic randomly is not passing through Checkpoint Firewall Cluster

Posted on 2008-10-14
6
Medium Priority
?
1,887 Views
Last Modified: 2013-11-16
We have a configuration of two Checkpoint Firewall configured in Cluster XL Unicast mode, using two Sun V245 Servers.
The issue we have is that at not specific intervals or periods, the not-pivot cluster member stops passing traffic (we have mainly observed it on http & https, but could be additional protocols).
The problems seems not related to load or connections limit, since it is happening even when firewalls are under low utilization.
We have tried the following:
change the pivot cluster member - the issue continued happen with the not-pivot member
perform cpstop on the not-pivot member - the issue happened on the pivot member
After a lot of searching we have identified the following:
running fw monitor we have observed that the traffic does not pass from all four stages ( i,I,o and O) but instead it is seen only on the first stage (i). When we don't have that issue the taffic is seen always passing from all four stages in fw monitor.
A similar case was mentioned in this link:
http://www.cpug.org/forums/nokia-ipso/6803-nokia-ipso-4-1-build-40-ngx-r65-hfa_02-a.html
but no solution is recorded.
Any help would be much appreciated.
0
Comment
Question by:kmpez
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 3
  • 2
6 Comments
 
LVL 14

Expert Comment

by:grimkin
ID: 22715934
If you run the fw monitor with the "-p all" switch then you will get all stages, not just i,I,o and O - you can then map these against the specific stages for your machine (which you can identify using the command "fw ctl chain" command).

This may throw a bit of light on exactly where they are failing as you can see which module it is stopping at, e.g. if your packets dont get past i3 then you would look for problems with vpn decryption. An example chain looks like:

in chain (11):
      0: -7f800000 (a0973cd8) IP Options Strip (ipopt_strip)
      1: - 2000000 (a0e4cf80) vpn decrypt (vpn)
      2: - 1fffff8 (a0e50d54) l2tp inbound (l2tp)
      3: - 1fffff6 (a097488c) Stateless verifications (asm)
      4: - 1fffff0 (a0e4ca90) vpn decrypt verify (vpn_ver)
      5: - 1000000 (a098a66c) SecureXL conn sync (secxl_sync)
      6:         0 (a093eae8) fw VM inbound  (fw)
      7:   2000000 (a0e4dfe0) vpn policy inbound (vpn_pol)
      8:  10000000 (a098a800) SecureXL inbound (secxl)
      9:  7f600000 (a096f950) fw SCV inbound (scv)
      10:  7f800000 (a0973f24) IP Options Restore (ipopt_res)
out chain (9):
      0: -7f800000 (a0973cd8) IP Options Strip (ipopt_strip)
      1: - 1ffffff (a0e4c99c) vpn nat outbound (vpn_nat)
      2: - 1f00000 (a097488c) Stateless verifications (asm)
      3:         0 (a093eae8) fw VM outbound (fw)
      4:   2000000 (a0e4db70) vpn policy outbound (vpn_pol)
      5:  10000000 (a098a800) SecureXL outbound (secxl)
      6:  1ffffff0 (a0e512fc) l2tp outbound (l2tp)
      7:  20000000 (a0e4d494) vpn encrypt (vpn)
      8:  7f800000 (a0973f24) IP Options Restore (ipopt_res)
0
 
LVL 4

Expert Comment

by:yurisk
ID: 22716574
Do you have by chance URL -filtering on this box enabled ?
Not specific to Cluster I have had a client that out of sudden http/https browsing stopped
completely , no errors in Tracker, no nothing. And in fw monitor exactly the same - traffic comes to FW
but then mysteriously disappears.  The moment I disabled URL filtering all returned to normal.
As client wasnt interested to debug it further I left it as it was.
PS SInce then the 1st thing I do when debugging weird problems on the box with Messaging Security
is turn it off, the goes normal debug...
0
 

Author Comment

by:kmpez
ID: 22717732
Dear grimkin,
this is the next debugging we have scheduled to do when the issue reappears.
In fast I plan using the "fw monitor -pi pos" in order to limit firewall resources usage, cause all these systems are critical.
If I don't get the information I want I migth increase the debugging level.

Dear yurisk,
can you be more specific? We have completely disabled the SmartDefense on the cluster. Are you aware of any URL_filtering configuration on the Checkpoint Firewalls? If yes, how is it configured? If you have in mind a third party plugin, then this is not the case, since no third party plugins are installed on the clusters. In addition we are not sure if the blocked traffic is only http/https.

Thank you for your replies.
I am very much interested to know if anyone else has faced similar issues with Checkpoint Firewalls and what was the solution.
Regards,
0
Get 15 Days FREE Full-Featured Trial

Benefit from a mission critical IT monitoring with Monitis Premium or get it FREE for your entry level monitoring needs.
-Over 200,000 users
-More than 300,000 websites monitored
-Used in 197 countries
-Recommended by 98% of users

 
LVL 4

Expert Comment

by:yurisk
ID: 22728666
The URL filtering I am referring to is found in SmartDashboard under the tab Content Inspection -
if you dont have such tab you dont have this filtering. Messaging security (Antospam/Antivirus/etc)  is (relatively) new add-on of Checkpoint themselves to R65 (an update you have to apply to R65) , so if you didnt do it it should not bother you.   SmartDefense is somethnig different and not connected to it.
0
 

Author Comment

by:kmpez
ID: 22730328
Dear yurisk,
the Web Filtering policy is on, but it is not enforced on any gateway. The message displayed next to the Enforcing Gateways button is:
Note: No gateways are currently enforcing the Web Filtering policy.
and of course no Gateways are selected in the Web Filtering Enforcing Gateways.
The strange thing is that the Solaris Checkpoint Cluster is not displayed in the list of Gateways that can enforce this policy (instead only the SPLAT clusters are displayed).
Anyway this does not seem to be related in any way.
Thanks for your concern.
Regards.
0
 

Accepted Solution

by:
kmpez earned 0 total points
ID: 22757398
Dear grimkin,
using the "fw monitor -p all" (even with an addition of an "-e" statement, in order to filter the traffic monitored) the firewall becomes unresponsive and nothing is displayed on the ssh window or captured in a file.
We defenetely need an less resource intensive way in order to identify what is failing in our case.
Thanks.
Regards.
0

Featured Post

Get real performance insights from real users

Key features:
- Total Pages Views and Load times
- Top Pages Viewed and Load Times
- Real Time Site Page Build Performance
- Users’ Browser and Platform Performance
- Geographic User Breakdown
- And more

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

The DROP (Spamhaus Don't Route Or Peer List) is a small list of IP address ranges that have been stolen or hijacked from their rightful owners. The DROP list is not a DNS based list.  It is designed to be downloaded as a file, with primary intention…
This article offers some helpful and general tips for safe browsing and online shopping. It offers simple and manageable procedures that help to ensure the safety of one's personal information and the security of any devices.
Michael from AdRem Software explains how to view the most utilized and worst performing nodes in your network, by accessing the Top Charts view in NetCrunch network monitor (https://www.adremsoft.com/). Top Charts is a view in which you can set seve…
Do you want to know how to make a graph with Microsoft Access? First, create a query with the data for the chart. Then make a blank form and add a chart control. This video also shows how to change what data is displayed on the graph as well as form…
Suggested Courses
Course of the Month15 days, 14 hours left to enroll

741 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question