CPUG: The Check Point User Group

Resources for the Check Point Community, by the Check Point Community.


Tim Hall has done it again! He has just released the 2nd edition of "Max Power".
Rather than get into details here, I urge you to check out this announcement post.
It's a massive upgrade, and well worth checking out. -E

 

Results 1 to 11 of 11

Thread: ICMP time exceeded are not logged?

  1. #1
    Join Date
    2018-08-28
    Posts
    4
    Rep Power
    0

    Default ICMP time exceeded are not logged?

    Hello,

    Recently we faced with some network issue and found a possible logging bug while investigating this incident.
    Basic description is the following:
    packet flow from inside to outside (90% UDP), routing loop somewhere on the outside resulted in millions of ICMP ttl expired in transit towards the source of the packet flow
    no NAT is performed on the FW


    Long story short: we couldn't detect this enormous flow of ICMP packets towards source-server because logging servers show only ~35 DENIED ICMP ttl expired in transit packet towards the source. But counters on the source device (which has been the source of the UDP packets and destination of ICMP ttl expired packets) were checked few hours later and showed millions of ICMP packets received during several hours.

    I want to ask - is there any specifics in logging these messages? If we have seen this enormous ICMP flow towards the server on the inside we could have solved the issue faster. But, again, there's nothing on the logs except ~35 denied icmp packets from routers which experienced a routing loop towards server on the inside. Anyone any thoughts on why this could happen?

    Platform: VSX R77.30
    Last edited by vsenv7; 3 Weeks Ago at 08:55.

  2. #2
    Join Date
    2007-03-30
    Location
    DFW, TX
    Posts
    250
    Rep Power
    12

    Default Re: ICMP time exceeded are not logged?

    The firewall does not typically log the response to a connection. It's the responsibility of the client to record that and make it available.

    In general, I agree it would be nice to get connection disposition information. I would love to see if a connection left the connections table due to an orderly close, a timeout, a RST from the server, or what-have-you. Some of this is possible to log, but the ability to record TTL Exceeded messages would be an enhancement, not a bug to fix.
    Zimmie

  3. #3
    Join Date
    2018-08-28
    Posts
    4
    Rep Power
    0

    Default Re: ICMP time exceeded are not logged?

    Quote Originally Posted by Bob_Zimmerman View Post
    The firewall does not typically log the response to a connection. It's the responsibility of the client to record that and make it available.
    Yes, I realize that only connection initiation is logged, replies are not logged. Btw, technically speaking - 1st syn is logged, no matter if syn,ack was received? or 3-way HS has happened and then it's logged?

  4. #4
    Join Date
    2018-08-06
    Posts
    1
    Rep Power
    0

    Default Re: ICMP time exceeded are not logged?

    wouldn't antispoofing kick in when you got a routing loop?

    in the past i always saw 2 logs for the first connection, 1 allowed with the correct interface, 1 dropped with the wrong interface for that particular source IP

  5. #5
    Join Date
    2007-03-30
    Location
    DFW, TX
    Posts
    250
    Rep Power
    12

    Default Re: ICMP time exceeded are not logged?

    Only the initial SYN is logged by the firewall. Subsequent traffic can be logged by Application Control, IPS, and so on. In the case of the problem you mentioned, all you would see is traffic accepted by the firewall, because the traffic was allowed out.
    Zimmie

  6. #6
    Join Date
    2007-03-30
    Location
    DFW, TX
    Posts
    250
    Rep Power
    12

    Default Re: ICMP time exceeded are not logged?

    Quote Originally Posted by jvc2001 View Post
    wouldn't antispoofing kick in when you got a routing loop?

    in the past i always saw 2 logs for the first connection, 1 allowed with the correct interface, 1 dropped with the wrong interface for that particular source IP
    Only if the firewall is part of the routing loop. Take this very simple topology:

    Attachment 1411

    If the routing loop is between the load balancer and the router, the firewall will not show anything abnormal.

    If the routing loop is between the firewall and the load balancer, the firewall would see an accept, then a drop due to antispoofing, yes.
    Zimmie

  7. #7
    Join Date
    2005-08-14
    Location
    Gig Harbor, WA, USA
    Posts
    2,480
    Rep Power
    16

    Default Re: ICMP time exceeded are not logged?

    Quote Originally Posted by Bob_Zimmerman View Post
    Only the initial SYN is logged by the firewall.
    In R77.10, we added TCP State Logging.
    It's not enabled by default, of course.
    See: https://supportcenter.checkpoint.com...ionid=sk101221
    http://phoneboy.org
    Unless otherwise noted, views expressed are my own

  8. #8
    Join Date
    2018-08-28
    Posts
    4
    Rep Power
    0

    Default Re: ICMP time exceeded are not logged?

    Thanks for your answers.

    TCP state logging could possibly help.

    Another thought: is there any command to show ICMP (or other type of traffic) counters?
    Something similar to this:

    Code:
    cisco-router# show ip traffic
    
    <omit>
    
    ICMP statistics:
    Rcvd: 0 format errors, 0 checksum errors, 0 redirects, 89 unreachable
    30856 echo, 0 echo reply, 1 mask requests, 0 mask replies, 82 quench
    0 parameter, 1 timestamp, 1 info request, 0 other
    0 irdp solicitations, 0 irdp advertisements
    Sent: 0 redirects, 53 unreachable, 0 echo, 30856 echo reply
    0 mask requests, 0 mask replies, 0 quench, 1 timestamp
    0 info reply, 12 time exceeded, 0 parameter problem
    0 irdp solicitations, 0 irdp advertisements
    
    </omit>

    Is there any command to have similar output?
    The idea is the following: if FW treats millions of ICMP11 packets as a part of communication session and doesn't log it, then intensive grow of ICMP counters could possibly indicate an issue...

  9. #9
    Join Date
    2009-04-30
    Location
    Colorado, USA
    Posts
    2,220
    Rep Power
    13

    Default Re: ICMP time exceeded are not logged?

    Quote Originally Posted by vsenv7 View Post
    Thanks for your answers.

    TCP state logging could possibly help.

    Another thought: is there any command to show ICMP (or other type of traffic) counters?
    Something similar to this:

    Code:
    cisco-router# show ip traffic
    
    <omit>
    
    ICMP statistics:
    Rcvd: 0 format errors, 0 checksum errors, 0 redirects, 89 unreachable
    30856 echo, 0 echo reply, 1 mask requests, 0 mask replies, 82 quench
    0 parameter, 1 timestamp, 1 info request, 0 other
    0 irdp solicitations, 0 irdp advertisements
    Sent: 0 redirects, 53 unreachable, 0 echo, 30856 echo reply
    0 mask requests, 0 mask replies, 0 quench, 1 timestamp
    0 info reply, 12 time exceeded, 0 parameter problem
    0 irdp solicitations, 0 irdp advertisements
    
    </omit>

    Is there any command to have similar output?
    The idea is the following: if FW treats millions of ICMP11 packets as a part of communication session and doesn't log it, then intensive grow of ICMP counters could possibly indicate an issue...
    Yes: netstat -s from expert mode.
    --
    Second Edition of my "Max Power" Firewall Book
    Now Available at http://www.maxpowerfirewalls.com

  10. #10
    Join Date
    2018-08-28
    Posts
    4
    Rep Power
    0

    Default Re: ICMP time exceeded are not logged?

    Quote Originally Posted by ShadowPeak.com View Post
    Yes: netstat -s from expert mode.
    Unfortunately but 'vsenv 5 + netstat -s' shows exactly what 'vsenv 20 + netstat -s' shows

    Looks like this type of stats is identical for all the VSs. And I thought that these stats would be per-VS.

  11. #11
    Join Date
    2005-08-14
    Location
    Gig Harbor, WA, USA
    Posts
    2,480
    Rep Power
    16

    Default Re: ICMP time exceeded are not logged?

    Quote Originally Posted by vsenv7 View Post
    Unfortunately but 'vsenv 5 + netstat -s' shows exactly what 'vsenv 20 + netstat -s' shows

    Looks like this type of stats is identical for all the VSs. And I thought that these stats would be per-VS.
    Virtual systems are not virtual machines in the sense they all run on the same underlying OS.
    Stats you obtain from netstat are for the entire machine, not the VS.
    http://phoneboy.org
    Unless otherwise noted, views expressed are my own

Similar Threads

  1. icmp drop:ICMP request sent by replying peer
    By nz-ipv6 in forum Miscellaneous
    Replies: 2
    Last Post: 2012-01-12, 10:51
  2. minimum disk space exceeded
    By johnny blaze in forum Check Point UTM-1 Appliances
    Replies: 2
    Last Post: 2010-12-11, 16:39
  3. Replies: 7
    Last Post: 2007-04-17, 11:31
  4. Error: packed logged
    By stephan411 in forum SmartView Tracker
    Replies: 0
    Last Post: 2006-05-08, 04:58
  5. Drops not being logged
    By phlegm in forum SmartView Tracker
    Replies: 3
    Last Post: 2005-12-15, 19:18

Bookmarks

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •