PDA

View Full Version : Ping not working via Checkpoint



oharek
2013-10-16, 14:47
Hello,

I have a server on the DMZ interface on my checkpoint and i need it to be able to ping a server via an external interface.
Remote desktop is working ok in both directions but ping is not which baffles me.
Ping only works from the external interface into the checkpoint but not the other way around

Any ideas?

I have icmp, rdp and tcp/445 as the services


Kevin

melipla
2013-10-16, 15:22
Somewhere there's a drop. ICMP is also a protocol so you should be filtering on that and NOT the service. If you still can't find it, try using "fw ctl zdebug + drop" from the command line and search for your source / destination IP.

oharek
2013-10-16, 15:52
Just one more question - i enabled 'any' service temporarily and ping still did not work. Does that mean than ping is not covered by this and maybe the fact i have 'icmp requests' that this is not enough to allow ping to work

I will take you advice and try using the command line debug command

Kevin

isharted
2013-10-16, 16:48
Look at your implied rules in the Global properties of your policy.

melipla
2013-10-16, 18:41
Ping is included in any, it's just tracker which can be confusing between ??icmp and icmp. The protocol ??icmp is the filter you want, which is a different column than the service one.

oharek
2013-10-25, 12:01
Look at your implied rules in the Global properties of your policy.

I put the following on the server properties

NAT
Add automatic address translation rule
Hide behind IP address - then enter the server's own IP address



I am not to sure why this works but it does.

I have 5 Checkpoint firewalls in my network. 4 of them have never needed this done before for any server. So i checked the global properties for the other 4.

All 4 have a setting say:

IP Pool NAT
Enable IP Pool NAT ticked


But the problem firewall does not have this ticked.

Is this why i was have this issue and need to enable NAT on this server object?