CPUG: The Check Point User Group

Resources for the Check Point Community, by the Check Point Community.


CPUG Challenge 2018?? We will be holding another CPUG Challenge for 2018.
The plan is to time it around CPX again (earlier this year), but not necessarily limit it to those in attendance.
I'll provide more details as we get a bit closer, but be ready! -E

 

Results 1 to 11 of 11

Thread: Checkpoint firewall can't reach tacacs servers-> logs show allowed

  1. #1
    Join Date
    2017-07-17
    Posts
    19
    Rep Power
    0

    Default Checkpoint firewall can't reach tacacs servers-> logs show allowed

    checkpoint firewalls Can't reach tacacs servers,

    ping is no reply

    traceroute shows all stars

    logs show :sr as firewall and dst as tacacs servers , allows on tcp port 49

    are there any ways to: new to the company network, Don't know excatly whats in between the firewall and servers

    is there something I can do to check whether route exists on firewall

    if exits if i want to default route what it would be, to the ip i ssh into as next hop ?

  2. #2
    Join Date
    2007-06-04
    Posts
    3,246
    Rep Power
    15

    Default Re: Checkpoint firewall can't reach tacacs servers-> logs show allowed

    Presuming that the firewall is a Gaia OS Firewall then can simply SSH into the unit and run the command

    show route

    This will then display the routing table of the Firewall.

    May well need to work with someone more familiar with the Network to determine what should be the correct next hop, and what may be in between the systems.

  3. #3
    Join Date
    2006-09-26
    Posts
    3,055
    Rep Power
    15

    Default Re: Checkpoint firewall can't reach tacacs servers-> logs show allowed

    Quote Originally Posted by mcnallym View Post
    Presuming that the firewall is a Gaia OS Firewall then can simply SSH into the unit and run the command

    show route

    This will then display the routing table of the Firewall.

    May well need to work with someone more familiar with the Network to determine what should be the correct next hop, and what may be in between the systems.
    Assuming that routing is already in place and verified, you can perform the following command on the Firewalls to confirm:

    [Expert@fw:0]# telnet 1.1.1.1 49
    Trying 1.1.1.1...
    Connected to 1.1.1.1.
    Escape character is '^]'.


    Anything other the above means:

    1- TACACS server might see the traffics but will not respond,
    2- local firewalls on the tacacs server itself
    3- GAIA does not have to allow outbound access to tacacs server

  4. #4
    Join Date
    2017-07-17
    Posts
    19
    Rep Power
    0

    Default Re: Checkpoint firewall can't reach tacacs servers-> logs show allowed

    Telnet says timeout ; unable to connect . What else I can to do to know the route to reach tacacs server.

  5. #5
    Join Date
    2006-09-26
    Posts
    3,055
    Rep Power
    15

    Cool Re: Checkpoint firewall can't reach tacacs servers-> logs show allowed

    Quote Originally Posted by Sneha View Post
    Telnet says timeout ; unable to connect . What else I can to do to know the route to reach tacacs server.
    1- confirm that you have FW rule to allow the firewall to communicate with tacacs server
    2- run tcpdump on the firewall interface that tacacs request will be sending request to the tacacs server
    3- what is this tacacs server? Is it Cisco ACS server? if so, run tcpdump on the ACS server to confirm that the tacacs request actually gets there: tech dumptcp "-nn -i eth0 host 1.1.1.1" (where 1.1.1.1 is the IP address of the firewall)

    a- if you see SYN in the acs tcpdump and no SYN-ACK, then you need to investigate the ACS server
    b- if you see SYN and SYN-ACK on the acs tcpdump, it means traffics hit the ACS server and the server responds. You need to wear your networking hat
    c- if you run in to b scenario, look at the tcpdump on the firewall, do you see the SYN-ACK hit the firewall. if it does, do you see the firewall sends back with the ACK to complete the 3-way handshake,

    judging from your scenario, look like none of the above but tcpdump on the ACS server will confirm that.

    and it is time to wear your networking hat :-)

  6. #6
    Join Date
    2007-03-30
    Location
    DFW, TX
    Posts
    103
    Rep Power
    11

    Default Re: Checkpoint firewall can't reach tacacs servers-> logs show allowed

    Quote Originally Posted by Sneha View Post
    Telnet says timeout ; unable to connect . What else I can to do to know the route to reach tacacs server.
    A fun command very few people seem to know: ip route get

    Code:
    [zimmie@SmartCenter]# ip route get 10.20.30.40
    10.20.30.40 via 10.0.1.1 dev eth0  src 10.0.1.50
        cache  mtu 1500 advmss 1460 hoplimit 64
    [zimmie@SmartCenter]# ip route get 10.0.1.80
    10.0.1.80 dev eth0  src 10.0.1.50
        cache  mtu 1500 advmss 1460 hoplimit 64
    This box only has one interface. The first command is for a routed IP, the second is for an IP on the local network. Note the "via" part of the output. Note that this does not check policy-based routing, which some firewall admins use for management connectivity.
    Zimmie

  7. #7
    Join Date
    2017-07-17
    Posts
    19
    Rep Power
    0

    Default Re: Checkpoint firewall can't reach tacacs servers-> logs show allowed

    Thank you all,

    Telnet to destination on 49 helped,
    IP route helped,

    Added rules and routes on necessary firewalls and now all can communicate with Tacacs Servers.

  8. #8
    Join Date
    2013-09-25
    Location
    Bucharest
    Posts
    642
    Rep Power
    5

    Default Re: Checkpoint firewall can't reach tacacs servers-> logs show allowed

    Quote Originally Posted by Bob_Zimmerman View Post
    A fun command very few people seem to know: ip route get

    Code:
    [zimmie@SmartCenter]# ip route get 10.20.30.40
    10.20.30.40 via 10.0.1.1 dev eth0  src 10.0.1.50
        cache  mtu 1500 advmss 1460 hoplimit 64
    [zimmie@SmartCenter]# ip route get 10.0.1.80
    10.0.1.80 dev eth0  src 10.0.1.50
        cache  mtu 1500 advmss 1460 hoplimit 64
    This box only has one interface. The first command is for a routed IP, the second is for an IP on the local network. Note the "via" part of the output. Note that this does not check policy-based routing, which some firewall admins use for management connectivity.
    How the hack do you know that many tricks? ARE you a CP instructor?

  9. #9
    Join Date
    2011-08-02
    Location
    http://spikefishsolutions.com
    Posts
    1,480
    Rep Power
    8

    Default Re: Checkpoint firewall can't reach tacacs servers-> logs show allowed

    Come to the linux side, we have cookies.

  10. #10
    Join Date
    2007-03-30
    Location
    DFW, TX
    Posts
    103
    Rep Power
    11

    Default Re: Checkpoint firewall can't reach tacacs servers-> logs show allowed

    Quote Originally Posted by laf_c View Post
    How the hack do you know that many tricks? ARE you a CP instructor?
    Not quite. Studied mathematics and programming, wrote some systems code, then worked in the TAC for years. Wound up in the kernel team (jflemingeds can confirm). Deep knowledge of Linux and UNIX is extremely helpful when dealing with those classes of issues.
    Zimmie

  11. #11
    Join Date
    2006-03-08
    Location
    Lausanne
    Posts
    1,016
    Rep Power
    13

    Thumbs up Re: Checkpoint firewall can't reach tacacs servers-> logs show allowed

    Quote Originally Posted by Bob_Zimmerman View Post
    Not quite. Studied mathematics and programming, wrote some systems code, then worked in the TAC for years. Wound up in the kernel team (jflemingeds can confirm). Deep knowledge of Linux and UNIX is extremely helpful when dealing with those classes of issues.
    we need like button in this forum. thumbs up
    -------------

    Valeri Loukine
    CCMA, CCSM, CCSI
    http://checkpoint-master-architect.blogspot.com/

Similar Threads

  1. Replies: 4
    Last Post: 2017-08-14, 07:23
  2. Checkpoint Firewall not generating logs.
    By bhumit.shah in forum SmartView Tracker
    Replies: 4
    Last Post: 2013-03-28, 12:47
  3. Checkpoint Firewall not generating logs.
    By bhumit.shah in forum About This Discussion Board
    Replies: 2
    Last Post: 2012-02-02, 14:31
  4. Removing duplicate entries - show only unique logs
    By v33dubya in forum SmartView Tracker
    Replies: 1
    Last Post: 2011-02-17, 01:26
  5. Tracker does not show logs from IP560
    By caro06 in forum Security Management Server (Formerly SmartCenter Server ((Formerly Management Server))
    Replies: 4
    Last Post: 2010-02-22, 13:37

Bookmarks

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •