Find traffic between IPSO and Tracker

[ipbuckstopshere]

I can see traffic hitting the box if I do a tcpdump, however, I do not see it hit firewall tracker (no deny or permit). I wait a few hours, and then I can see hit the tracker and it works. Awhile later, I don't see it hit the tracker anymore, but I always see it hit the box via tcpdump. It's a redirect rule that appears to be "intermittently" denied, but I see no deny in the firewall tracker. Its like IPSO is dropping the traffic. Any ideas?

[Danielpb]

Hi....you might want to check your Regional settings on the module and Smartcenters or check the time.

[ipbuckstopshere]

I'm a checkpoint noob :-) Familiar with Cisco and Juniper, but that hasn't helped me out much with Checkpoint. Is the "regional settings" the "global properties" in the Dashboard?

Is the Manage -> Time what you were referring to? It only had two objects and when I clicked "Where used" nothing showed up for either one.

[ipbuckstopshere]

I’ve done more investigating into this and found the “fw monitor” command on the Checkpoint that does more than tcpdump or snoop. Thing is, I don’t know enough about internal workings for this to be useful. When it is not working, I see it stopping at two points…

in chain (9):
0: -7f800000 (aac78794) (ffffffff) IP Options Strip (ipopt_strip)
1: - 1fffff6 (aac7a044) (00000001) Stateless verifications (asm)
2: - 1000000 (aacba4b4) (00000003) SecureXL conn sync (secxl_sync)
3: 0 (aac0c7d8) (00000001) fw VM inbound (fw) ---------------------------------Failed after here on one inbound try
4: 1 (aac870c0) (00000002) wire VM inbound (wire_vm)
5: 10000000 (aacbaafc) (00000003) SecureXL inbound (secxl)
6: 7f600000 (aac6ea14) (00000001) fw SCV inbound (scv)
7: 7f750000 (aada5c9c) (00000001) TCP streaming (in) (cpas)
8: 7f800000 (aac78a34) (ffffffff) IP Options Restore (ipopt_res)
(9) – inbound chain successful ---------------------------------Failed after here on another inbound try
out chain (8):
0: -7f800000 (aac78794) (ffffffff) IP Options Strip (ipopt_strip)
1: - 1fffff0 (aada5e10) (00000001) TCP streaming (out) (cpas)
2: - 1f00000 (aac7a044) (00000001) Stateless verifications (asm)
3: 0 (aac0c7d8) (00000001) fw VM outbound (fw)
4: 1 (aac870c0) (00000002) wire VM outbound (wire_vm)
5: 10000000 (aacbaafc) (00000003) SecureXL outbound (secxl)
6: 7f700000 (aada6050) (00000001) TCP streaming post VM (cpas)
7: 7f800000 (aac78a34) (ffffffff) IP Options Restore (ipopt_res)

Failed inbound from my sprint card:
monitor: monitoring (control-C to stop)
eth-s1p2c0:i0 (IP Options Strip)[48]: 9.9.9.9 -> 12.12.12.12 (TCP) len=48 id=61531
TCP: 6215 -> 80 .S.... seq=62a35a00 ack=00000000
eth-s1p2c0:i1 (Stateless verifications)[48]: 9.9.9.9 -> 12.12.12.12 (TCP) len=48 id=61531
TCP: 6215 -> 80 .S.... seq=62a35a00 ack=00000000
eth-s1p2c0:i2 (SecureXL conn sync)[48]: 9.9.9.9 -> 12.12.12.12 (TCP) len=48 id=61531
TCP: 6215 -> 80 .S.... seq=62a35a00 ack=00000000
eth-s1p2c0:i3 (fw VM inbound )[48]: 9.9.9.9 -> 12.12.12.12 (TCP) len=48 id=61531
TCP: 6215 -> 80 .S.... seq=62a35a00 ack=00000000 ---------------------------------No response so it sends another packet on next line.
eth-s1p2c0:i0 (IP Options Strip)[48]: 9.9.9.9 -> 12.12.12.12 (TCP) len=48 id=61534
TCP: 6215 -> 80 .S.... seq=62a35a00 ack=00000000
eth-s1p2c0:i1 (Stateless verifications)[48]: 9.9.9.9 -> 12.12.12.12 (TCP) len=48 id=61534
TCP: 6215 -> 80 .S.... seq=62a35a00 ack=00000000
eth-s1p2c0:i2 (SecureXL conn sync)[48]: 9.9.9.9 -> 12.12.12.12 (TCP) len=48 id=61534
TCP: 6215 -> 80 .S.... seq=62a35a00 ack=00000000
eth-s1p2c0:i3 (fw VM inbound )[48]: 9.9.9.9 -> 12.12.12.12 (TCP) len=48 id=61534
TCP: 6215 -> 80 .S.... seq=62a35a00 ack=00000000
monitor: unloading
Read 2 inbound packets and 0 outbound packets

Failed inbound from local subnet (but got through inbound chain, however see no outbound chain):
eth-s1p2c0:i0 (IP Options Strip)[48]: 12.12.12.14 -> 12.12.12.12 (TCP) len=48 id=62486
TCP: 6337 -> 80 .S.... seq=5e4f6ac9 ack=00000000
eth-s1p2c0:i1 (Stateless verifications)[48]: 12.12.12.14 -> 12.12.12.12 (TCP) len=48 id=62486
TCP: 6337 -> 80 .S.... seq=5e4f6ac9 ack=00000000
eth-s1p2c0:i2 (SecureXL conn sync)[48]: 12.12.12.14 -> 12.12.12.12 (TCP) len=48 id=62486
TCP: 6337 -> 80 .S.... seq=5e4f6ac9 ack=00000000
eth-s1p2c0:i3 (fw VM inbound )[48]: 12.12.12.14 -> 12.12.12.12 (TCP) len=48 id=62486
TCP: 6337 -> 80 .S.... seq=5e4f6ac9 ack=00000000
eth-s1p2c0:I4 (wire VM inbound )[48]: 12.12.12.14 -> 12.12.12.8 (TCP) len=48 id=62486 ---- I guess destination gets translated to physical outside IP (not VRRP VIP) for internal use at the VM chain?
TCP: 6337 -> 3186 .S.... seq=5e4f6ac9 ack=00000000
eth-s1p2c0:I5 (SecureXL inbound)[48]: 12.12.12.14 -> 12.12.12.8 (TCP) len=48 id=62486
TCP: 6337 -> 3186 .S.... seq=5e4f6ac9 ack=00000000
eth-s1p2c0:I6 (fw SCV inbound)[48]: 12.12.12.14 -> 12.12.12.8 (TCP) len=48 id=62486
TCP: 6337 -> 3186 .S.... seq=5e4f6ac9 ack=00000000
eth-s1p2c0:I7 (TCP streaming (in))[48]: 12.12.12.14 -> 12.12.12.8 (TCP) len=48 id=62486
TCP: 6337 -> 3186 .S.... seq=5e4f6ac9 ack=00000000
eth-s1p2c0:I8 (IP Options Restore)[48]: 12.12.12.14 -> 12.12.12.8 (TCP) len=48 id=62486
TCP: 6337 -> 3186 .S.... seq=5e4f6ac9 ack=00000000
eth-s1p2c0:I9 (Chain End)[48]: 12.12.12.14 -> 12.12.12.8 (TCP) len=48 id=62486
TCP: 6337 -> 3186 .S.... seq=5e4f6ac9 ack=00000000

The problem is that I don’t know what these chains correspond to as far as configuration in the firewall. I’m trying to figure that out now. Any input would be greatly appreciated. This works intermittently from different source IP’s (it will work from my air card for an hour or more, but won’t work from directly connected subnet… then, while later, just the opposite is true where it works from connected subnet, but not my air card.)

[vijayant]

Hi


Can any body send a resolution to this one. I am getting exactly the same.

[ipbuckstopshere]

vijayant stated this resolved his problem:

"Yes we solved it. Checkpoint asked me to clear the state.
Procedure:
1. Do cpstop on Smart Center Server and all firewall modules in the cluster simultaneously.
2. Backup the content of state directory and dabase directory on all firewall modules. (/opt/CPsuite-R60/fw1/database, (/opt/CPsuite-R60/fw1/state), and then remove these contents.
3. On Smart center server backup the content of state directory, and then remove these contents. NOTE: Dont touch the Database directory at all.

4. Do Cpstart on all devices and try to push the policy.
5. In case a default policy is applied, remove it using command - fw uload local on all the enforcement modules."

I haven't tried it yet, but will later on...