Wednesday, April 10, 2024

Troubleshooting Firewalls

 

[Expert@myfw101:0]# ip route get 216.18.76.16
216.18.76.16 via 10.114.255.11 dev eth1-01 src 10.113.255.14 
[Expert@myfw101:0]#


fw ctl zdebug + drop | grep 216.18.76.16

@;20508118;[vs_0];[tid_30];[fw4_30];fw_log_drop_ex: Packet proto=17 216.18.76.16:53 -> 10.113.255.14:39926 dropped by fw_send_log_drop Reason: Rulebase drop - on layer "fw-cluster Security" rule 19;


DNS Not active on Standby Cluster Member

fwha_forw_packet_to_not_active=1

Heres the SK in case you need it: 

https://support.checkpoint.com/results/sk/sk43807



enabled_blades
fw stat 
cpinfo -y all


In addition, if you would please upload a cpinfo from your gateway, as well as uploading a HCP report, this will help us to look for known issues in your environment
cpinfo -s 6-0003824777
hcp -r all --include-wts yes



Standby
nslookup google.com 
tcpdump -nni any host 216.18.76.16

Active 
tcpdump -nni any host 216.18.76.16 and host 10.14.55.14

set dns mode default
set dns suffix bcbsma.com
set dns primary 216.118.176.16
set dns secondary 10.115.1.11
set dns tertiary 10.23.210.23
[Expert@myfw101:0]#


142.250.65.238
tcpdump -nni any host 216.118.176.16 and host 10.114.255.14 | grep -i 'google'
fw monitor -F "10.114.255.14,0,216.118.176.16,0,0"
fw monitor -F "10.114.255.14,0,216.118.176.16,0,0" | grep -i 'google'

[Expert@myfw101:0]## cat /var/opt/fw.boot/modules/fwkern.conf
enhanced_ssl_inspection=1
bypass_on_enhanced_ssl_inspection=1
fwmultik_input_queue_len=4096
[Expert@myfw101:0]## 



 hcp -r all


[Expert@myfw101:0]# tcpdump -nni Sync host 216.18.76.16 and host 10.14.255.14 | grep -i 'google'
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on Sync, link-type EN10MB (Ethernet), capture size 262144 bytes
15:07:27.015688 IP 10.14.255.14.40175 > 216.18.76.16.53: 8827+ A? google.com. (28)
15:07:34.015911 IP 10.14.255.14.40175 > 216.18.76.16.53: 8827+ A? google.com. (28)
15:07:41.016201 IP 10.14.255.14.40175 > 216.18.76.16.53: 8827+ A? google.com. (28)
^C1648 packets captured
1685 packets received by filter
0 packets dropped by kernel

[Expert@myfw101:0]## 

[Expert@myfw101:0]## fw ctl get int fwha_cluster_hide_active_only
fwha_cluster_hide_active_only = 1
[Expert@myfw101:0]#


[Expert@myfw101:0]# fw ctl get int fwha_cluster_hide_active_only
fwha_cluster_hide_active_only = 1




Posted by at