Hello people, I have just run into a weird problem, which I was able to fix but I am basically looking for an explanation as to *why* it happened and I am therefore wondering if anyone else has seen this scenario before?
Nokia IPSO 3.5.1 Check Point FP3 HotFix 2 + SSL (standalone install) After working for weeks since its last policy modification early in the morning the firewall began dropping all packets from itself and to itself with reference to SAM/CPMAD Users NATing out of the firewall could work fine, connections to statically NATed address on the firewall for things like email servers work fine, but anything with the source or destination IP of the firewall were dropped by SAM, thus the site-to-site/client-to-site vpns were all broken. Turns out that somehow the firewalls IP address was placed in the sam_blocked_ips table and thus was rejecting itself on most of the things it was meant to be doing, now before I determined this, after looking around and restarting FireWall-1 (and killing SAM) FW-1 would restart, CPMAD would start up and then cpmad would turn into a zombie process, FireWall-1 believed it was running and therefore could never actually shut it down. CPMAD only stopped being a zombie when I discovered and cleared the firewalls IP from the sam_blocked_ips table, once cleared from the table all resumed as normal, and since then, more than 48 hours ago the firewall has carried on working as it should. Has anybody seen anything like this before, and if so or even if not could someone explain to me what kind of attack could render the firewalls IP address to be placed in the sams blocked IP table? Cheers, Brendan ================================================= To set vacation, Out-Of-Office, or away messages, send an email to [EMAIL PROTECTED] in the BODY of the email add: set fw-1-mailinglist nomail ================================================= To unsubscribe from this mailing list, please see the instructions at http://www.checkpoint.com/services/mailing.html ================================================= If you have any questions on how to change your subscription options, email [EMAIL PROTECTED] =================================================
