Hello,
try using the "fw monitor" command on your gateway. It captures packets as they pass through your gateway and can save them in a format that ethereal understands. It can capture packets as they enter and leave every interface of the firewall, so you can observe if NAT happens and where etc. This means that you will see every packet four times (coming and leaving the inbound interface before routing and coming and leaving the outbound interface after routing), but this is configurable. Check Point even has a special version of ethereal available for download that understands and displays the contents of these files with more information. You can find it at http://www.checkpoint.com/techsupport/downloadsng/utilities.html#CPethereal. In that page you will also find a document about "fw monitor".
Phil Wang wrote:
Hi all,
I have a CSG server (10.10.10.2) in DMZ that authenticate via RSA server (192.168.55.5) in LAN. The firewall interfaces are Internet 203.x.x.1/28, LAN 192.168.55.1/24, DNZ 10.10.10.1/24.
I am migrating the current Symantec firewall to Checkpoint NG AI R55 with Secure Platform. Before migration, this Citrix CSG and RSA infratructure is working fine. After the cutover, I notice the CSG is having difficualty to communication with RSA server.
On the firewall. LAN interface (192.168.55.1), tcpdump showing 10.10.10.2 are sending udp packets to 192.168.55.5 on port 5500 (showing on smartview tracker as well) and 192.168.55.5 is returning packet to 10.10.10.2 as well. However, on the firewall DMZ interface (10.10.10.10.1), I can only see the packets going from 10.10.10.2 to 192.168.55.5 but not vice versa. And I dont seen any packets drop on the smartview tracker (I have logged all rules and both implied rules and antispoofing).
I have gone through the rulebase, make sure not NAT translation between DMZ and LAN, also try to adjust options in global properties and smart defence but without any luck. At the same time, tcp and icmp traffic seem to be fine from each side.
Anyone has seen this before or any idea what it is?
Thanks,
Phil
================================================= To set vacation, Out-Of-Office, or away messages, send an email to [EMAIL PROTECTED] in the BODY of the email add: set fw-1-mailinglist nomail ================================================= To unsubscribe from this mailing list, please see the instructions at http://www.checkpoint.com/services/mailing.html ================================================= If you have any questions on how to change your subscription options, email [EMAIL PROTECTED] =================================================
