Monday, June 15, 2015

Check Point GAIA: GUI Bug For Routing Table

Most of you know I'm not a GUI person.  Well, here is another reason that I'm not.  Its called poor programming.  Or, otherwise known as a "software bug".  I mean, really, what is a "software bug"?  Its poor programming, right?
So Check Point has not escaped this either.  I've been fighting with an issue at a customer dealing with trying to get traffic to do what I want it to do, instead of what it wants it to do.  
So here is what I wanted:
So as you can imagine, this was a little frustrating, thinking I cant resolve a simple routing problem.  However, what I found was that when I went into the CLI and looked at the routing table, the route for 10.1.1.0/24 was not in the routing table.  See the route command in CLI:
[Expert@CPfirewall:0]# route
Kernel IP routing table
Destination     Gateway         Genmask         Flags Metric Ref    Use Iface
20.20.20.20    *               255.255.255.248 U     0      0        0 eth2
192.168.5.0       *               255.255.255.0   U     0      0        0 eth3
172.16.1.0     *               255.255.255.0   U     0      0        0 eth1
default           - 0.0.0.0         UGD   0      0        0 eth2
[Expert@CPfirewall:0]#

See, the route to 10.1.1.0/24 is just not there.  It is taking the default route instead.  However, it IS in the WebUI in GAIA:
So, as you can see, it is in there.  So, I decided to add the second route you see above in CLI.  It wasnt there at first.  But for a test, I wanted to add it to see what it would do in CLI.  I added the route to 10.1.1.5/32 in CLI.  And, as you see below, I also am able to ping 10.1.1.5 after I add the static route:
CPfirewall> set static-route 10.1.1.5/32 nexthop gateway address 192.168.5.1 on
CPfirewall> ping 10.1.1.5
PING 10.1.1.5 (10.1.1.5) 56(84) bytes of data.
64 bytes from 10.1.1.5: icmp_seq=1 ttl=124 time=46.9 ms
64 bytes from 10.1.1.5: icmp_seq=2 ttl=124 time=44.0 ms

--- 10.1.1.5 ping statistics ---
2 packets transmitted, 2 received, 0% packet loss, time 1000ms
rtt min/avg/max/mdev = 44.024/45.487/46.950/1.463 ms

[Expert@CPfirewall:0]# route
Kernel IP routing table
Destination     Gateway         Genmask         Flags Metric Ref    Use Iface
10.1.1.5     192.168.5.1       255.255.255.255 UGHD  0      0        0 eth3
20.20.20.20    *               255.255.255.248 U     0      0        0 eth2
192.168.5.0       *               255.255.255.0   U     0      0        0 eth3
172.16.1.0     *               255.255.255.0   U     0      0        0 eth1
default           - 0.0.0.0         UGD   0      0        0 eth2
[Expert@CPfirewall:0]#


What???  Now I can see 10.1.1.5 in the routing table AND it pings. How is it that I can now ping 10.1.1.5, but not get 10.1.1.60 (which is what I really want to get to).  So I decide to go in and delete the 10.1.1.0/24 route out of the WebUI in GAIA, and add it in CLI.
CPfirewall> set static-route 10.1.1.0/24 nexthop gateway address 192.168.5.1 on
CPfirewall> save config
CPfirewall> expert
Enter expert password:

Warning! All configuration should be done through clish
You are in expert mode now.
[Expert@CPfirewall:0]# route
Kernel IP routing table
Destination     Gateway         Genmask         Flags Metric Ref    Use Iface
10.1.1.5     192.168.5.1       255.255.255.255 UGHD  0      0        0 eth3
20.20.20.20    *               255.255.255.248 U     0      0        0 eth2
192.168.5.0       *               255.255.255.0   U     0      0        0 eth3
10.1.1.0      192.168.5.1       255.255.255.0   UGD   0      0        0 eth3
172.16.1.0     *               255.255.255.0   U     0      0        0 eth1
default           0.0.0.0         UGD   0      0        0 eth2
[Expert@CPfirewall:0]#
CPfirewall> ping 10.1.1.60
PING 10.1.1.60(10.1.1.60) 56(84) bytes of data.
64 bytes from 10.1.1.60: icmp_seq=1 ttl=124 time=47.9 ms
64 bytes from 10.1.1.60: icmp_seq=2 ttl=124 time=42.0 ms

--- 10.1.1.60 ping statistics ---
2 packets transmitted, 2 received, 0% packet loss, time 1000ms
rtt min/avg/max/mdev = 47.024/45.487/46.950/1.463 ms

So, I chalk this up to a bug in the software.  You have to think that when you are in the GUI, you are banking that the translation is going to be correct to CLI.  Who does that?  Programmers.  You have to code right to make the translation work right into CLI.  
Posted by

5 comments:

  1. AnonymousJune 16, 2015 at 4:47 AM

    Excellent post!!! Do you have experience with Vsx checkpoint? if yes can you please share how to install and run basic commands of vsx checkpoint..

    ReplyDelete
    Replies
    1. ShaneJune 16, 2015 at 8:52 AM

      No, no experience with VSX. I imagine its probably not much different though.

      Delete
    2. AnonymousJune 23, 2015 at 9:26 PM

      Thanks for quick reply!! ok!...Actually i am new to checkpoint and my workplace is having 12200 checkpoint and VSX checkpoint. are there any basic commands on checkpoint cli like as in Cisco ASA to view configuration and configure interfaces ,to view interfaces, to see interface configuration,captures, to set captures, to configure interface, check HSRP,etc...

      Delete
  2. RickJune 26, 2015 at 4:12 PM

    I've seen this kind of weird behaviour before with other settings. Settings you see in Gaia Portal or CLISH are not shown when you look them up in Expert mode. Sometimes the settings are not in sync with the OS. Unfortunately you showed the route table in Expert mode and not in CLISH. I strongly believe you would've seen the route too in CLISH.The only workaround I have is pretty much the same. Change the parameter via CLISH or Gaia Portal..check if you can see it in the OS...and then change it back to the original setting. To me this sounds as a bug too.

    ReplyDelete
  3. Forward SecurityJanuary 22, 2016 at 9:32 PM

    Yeah very nice post man. I also would be curious to see if it showed up if you did a "clish -c "show route""

    ReplyDelete

Your comment will be reviewed for approval. Thank you for submitting your comments.

Subscribe to: Post Comments (Atom)