Solved

Traffic randomly is not passing through Checkpoint Firewall Cluster

Posted on 2008-10-14
6
1,842 Views
Last Modified: 2013-11-16
We have a configuration of two Checkpoint Firewall configured in Cluster XL Unicast mode, using two Sun V245 Servers.
The issue we have is that at not specific intervals or periods, the not-pivot cluster member stops passing traffic (we have mainly observed it on http & https, but could be additional protocols).
The problems seems not related to load or connections limit, since it is happening even when firewalls are under low utilization.
We have tried the following:
change the pivot cluster member - the issue continued happen with the not-pivot member
perform cpstop on the not-pivot member - the issue happened on the pivot member
After a lot of searching we have identified the following:
running fw monitor we have observed that the traffic does not pass from all four stages ( i,I,o and O) but instead it is seen only on the first stage (i). When we don't have that issue the taffic is seen always passing from all four stages in fw monitor.
A similar case was mentioned in this link:
http://www.cpug.org/forums/nokia-ipso/6803-nokia-ipso-4-1-build-40-ngx-r65-hfa_02-a.html
but no solution is recorded.
Any help would be much appreciated.
0
Comment
Question by:kmpez
  • 3
  • 2
6 Comments
 
LVL 14

Expert Comment

by:grimkin
ID: 22715934
If you run the fw monitor with the "-p all" switch then you will get all stages, not just i,I,o and O - you can then map these against the specific stages for your machine (which you can identify using the command "fw ctl chain" command).

This may throw a bit of light on exactly where they are failing as you can see which module it is stopping at, e.g. if your packets dont get past i3 then you would look for problems with vpn decryption. An example chain looks like:

in chain (11):
      0: -7f800000 (a0973cd8) IP Options Strip (ipopt_strip)
      1: - 2000000 (a0e4cf80) vpn decrypt (vpn)
      2: - 1fffff8 (a0e50d54) l2tp inbound (l2tp)
      3: - 1fffff6 (a097488c) Stateless verifications (asm)
      4: - 1fffff0 (a0e4ca90) vpn decrypt verify (vpn_ver)
      5: - 1000000 (a098a66c) SecureXL conn sync (secxl_sync)
      6:         0 (a093eae8) fw VM inbound  (fw)
      7:   2000000 (a0e4dfe0) vpn policy inbound (vpn_pol)
      8:  10000000 (a098a800) SecureXL inbound (secxl)
      9:  7f600000 (a096f950) fw SCV inbound (scv)
      10:  7f800000 (a0973f24) IP Options Restore (ipopt_res)
out chain (9):
      0: -7f800000 (a0973cd8) IP Options Strip (ipopt_strip)
      1: - 1ffffff (a0e4c99c) vpn nat outbound (vpn_nat)
      2: - 1f00000 (a097488c) Stateless verifications (asm)
      3:         0 (a093eae8) fw VM outbound (fw)
      4:   2000000 (a0e4db70) vpn policy outbound (vpn_pol)
      5:  10000000 (a098a800) SecureXL outbound (secxl)
      6:  1ffffff0 (a0e512fc) l2tp outbound (l2tp)
      7:  20000000 (a0e4d494) vpn encrypt (vpn)
      8:  7f800000 (a0973f24) IP Options Restore (ipopt_res)
0
 
LVL 4

Expert Comment

by:yurisk
ID: 22716574
Do you have by chance URL -filtering on this box enabled ?
Not specific to Cluster I have had a client that out of sudden http/https browsing stopped
completely , no errors in Tracker, no nothing. And in fw monitor exactly the same - traffic comes to FW
but then mysteriously disappears.  The moment I disabled URL filtering all returned to normal.
As client wasnt interested to debug it further I left it as it was.
PS SInce then the 1st thing I do when debugging weird problems on the box with Messaging Security
is turn it off, the goes normal debug...
0
 

Author Comment

by:kmpez
ID: 22717732
Dear grimkin,
this is the next debugging we have scheduled to do when the issue reappears.
In fast I plan using the "fw monitor -pi pos" in order to limit firewall resources usage, cause all these systems are critical.
If I don't get the information I want I migth increase the debugging level.

Dear yurisk,
can you be more specific? We have completely disabled the SmartDefense on the cluster. Are you aware of any URL_filtering configuration on the Checkpoint Firewalls? If yes, how is it configured? If you have in mind a third party plugin, then this is not the case, since no third party plugins are installed on the clusters. In addition we are not sure if the blocked traffic is only http/https.

Thank you for your replies.
I am very much interested to know if anyone else has faced similar issues with Checkpoint Firewalls and what was the solution.
Regards,
0
PRTG Network Monitor: Intuitive Network Monitoring

Network Monitoring is essential to ensure that computer systems and network devices are running. Use PRTG to monitor LANs, servers, websites, applications and devices, bandwidth, virtual environments, remote systems, IoT, and many more. PRTG is easy to set up & use.

 
LVL 4

Expert Comment

by:yurisk
ID: 22728666
The URL filtering I am referring to is found in SmartDashboard under the tab Content Inspection -
if you dont have such tab you dont have this filtering. Messaging security (Antospam/Antivirus/etc)  is (relatively) new add-on of Checkpoint themselves to R65 (an update you have to apply to R65) , so if you didnt do it it should not bother you.   SmartDefense is somethnig different and not connected to it.
0
 

Author Comment

by:kmpez
ID: 22730328
Dear yurisk,
the Web Filtering policy is on, but it is not enforced on any gateway. The message displayed next to the Enforcing Gateways button is:
Note: No gateways are currently enforcing the Web Filtering policy.
and of course no Gateways are selected in the Web Filtering Enforcing Gateways.
The strange thing is that the Solaris Checkpoint Cluster is not displayed in the list of Gateways that can enforce this policy (instead only the SPLAT clusters are displayed).
Anyway this does not seem to be related in any way.
Thanks for your concern.
Regards.
0
 

Accepted Solution

by:
kmpez earned 0 total points
ID: 22757398
Dear grimkin,
using the "fw monitor -p all" (even with an addition of an "-e" statement, in order to filter the traffic monitored) the firewall becomes unresponsive and nothing is displayed on the ssh window or captured in a file.
We defenetely need an less resource intensive way in order to identify what is failing in our case.
Thanks.
Regards.
0

Featured Post

Top 6 Sources for Identifying Threat Actor TTPs

Understanding your enemy is essential. These six sources will help you identify the most popular threat actor tactics, techniques, and procedures (TTPs).

Join & Write a Comment

Do you have a windows based Checkpoint SmartCenter for centralized Checkpoint management?  Have you ever backed up the firewall policy residing on the SmartCenter?  If you have then you know the hassles of connecting to the server, doing an upgrade_…
This article offers some helpful and general tips for safe browsing and online shopping. It offers simple and manageable procedures that help to ensure the safety of one's personal information and the security of any devices.
Internet Business Fax to Email Made Easy - With eFax Corporate (http://www.enterprise.efax.com), you'll receive a dedicated online fax number, which is used the same way as a typical analog fax number. You'll receive secure faxes in your email, fr…
You have products, that come in variants and want to set different prices for them? Watch this micro tutorial that describes how to configure prices for Magento super attributes. Assigning simple products to configurable: We assigned simple products…

747 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

11 Experts available now in Live!

Get 1:1 Help Now