Disconnect after Policy Install

[mnutriaji]

Hi All

I have 1 firewall and 1 smartcenter, distributed installation. using R55 HFA07 for the firewall and R65 for Smartcenter.

The strange thing happen when i push the policy into the firewall, internet (external) connection got disconnected for 3-5 minutes.

There were no dropped traffic in Smartviewtracker, interface was fine.

What i was thinking is somehow when policy got installed, firewall just cleared all the connection table and make the new one.
is it like that?

anyone ever experience this similar problem before?

Thank you in advance

regards

Nutriaji

[RayPesek]

Check in SmartView Dashboard:

Open the firewall object
Advanced
Connection Persistency

Rematch is usually the best choice. What operating system is the firewall using?

R55 HFA07 is ancient. The current HFA is 20 and there were a ton of fixes in between. You can apply HFA20 over HFA07 and it will add all of the patches. I believe R55 goes end of life in mid-2008 also.

HTH,

Ray

[mnutriaji]

Hi Ray,

Thank you for your reply, yes i have put the setting as Rematch Connections previously. But the problem still there. i still have other frewall with HFA_02 never act like these.

thanks

Nutriaji

[RayPesek]

What operating system are you using? I've seen Nokia's occasionally lose automatic ARP during a policy push, so I added a manual proxy ARP and it was OK after that.

This could only be the cause if the browsing was NOT being done via the real IP of the firewall's external interface.

Ray

[mnutriaji]

Quote:

Originally Posted by RayPesek

This could only be the cause if the browsing was NOT being done via the real IP of the firewall's external interface.

Ray

Your statement above, does it using NAT?

In my case, not only one or two connection getting diconnected, but it's like the external interface cannot go any further. loose connection about 3-5 mins.

I'm using Nokia IPSO < 4.0, 3.8 i guess. Do you know what really happen (the detail) when we push the policy into the firewall? All i know is:
- Saving the policy into Saved/Saved As Policy Packages
- Update the Policy Filter and the NAT
- That's it.

Does Checkpoint do like interfering the interface, make IPSO do something in O/S level?

Advise Please...

Thanks you in advance

Regards

Nutriaji

[RayPesek]

Installing the security policy does reset all of the automatic ARPs. Try this:

SSH to the firewall and continuously ping the next hop router, the one between the firewall external interface and your ISP.

Set up a security rule to allow this if needed. Also set up a security rule to allow you to ping the same router from your desktop.

Once both the firewall and your desktop are pinging the next-hop router continuously, push a policy and see if the pinging stops for awhile.

Normally the firewall external interface is caused by Hide NAT. If this is a proxy ARP issue the pinging should not stop.

Ray

[Routerkid1]

and get your firewalls up to HFA_20

[MarioL]

From what you describe, this may be cause by NAT. Check your NAT rules... I usually prevent all NAT between firewalls and management, to prevent disconnects, etc.

[dwmaas]

Hi,
I am adding to this post since this is similar to a problem I am seeing with my secureplatorm R55 HFA-17 active/active cluster. We use automatic nats and have a manual NAT rule that does not nat between management and firewalls.

Upon completion of policy push, we loose connectivity to the next hop router. I ping the router from the firewall during the push, the ping stops upon completion of the push. I try to re-push with no change. I have to perform a reboot of both firewalls to re-establish connectivity again.

This just started a few days ago, and we have not seen this before.
Any ideas of what the issue maybe or what I can do?