This post deals with a recent issue I had were a Check Point firewall was not encrypting traffic when it need to. Now I like CLI better, as most people know. So I pulled up the CLI to do a packet capture of what was going on. Im on a 4800 Check Point appliance. I want to see if my remote client 192.168.10.X network is getting to the 192.168.7.X remote network. 192.168.7.X network is across a site to site VPN from my Check Point 4800. My mobile client sits at home, VPN'ed into the 4800.
With that said, I found that the traffic was not being encrypted. Below is a snipped of what I saw that tipped me off:
[Expert@CP-N2:0]# fw monitor -e "accept host(192.168.10.1) and ip_p=1;"
monitor: getting filter (from command line)
monitor: compiling
monitorfilter:
Compiled OK.
monitor: loading
monitor: monitoring (control-C to stop)
[vs_0][fw_0] eth1:i[60]: 192.168.10.1 -> 192.168.7.54 (ICMP) len=60 id=13108
ICMP: type=8 code=0 echo request id=1 seq=56
[vs_0][fw_0] eth1:I[60]: 192.168.10.1 -> 192.168.7.54 (ICMP) len=60 id=13108
ICMP: type=8 code=0 echo request id=1 seq=56
[vs_0][fw_0] eth1:o[60]: 192.168.10.1 -> 192.168.7.54 (ICMP) len=60 id=13108
ICMP: type=8 code=0 echo request id=1 seq=56
[vs_0][fw_0] eth1:O[60]: 192.168.10.1 -> 192.168.7.54 (ICMP) len=60 id=13108
ICMP: type=8 code=0 echo request id=1 seq=56
Notice highlighted above, it goes through all four phases of traversing the Check Point. Now, below, you will see that I resolved the issue and the packet capture looks different.
[Expert@CP-N2:0]# fw monitor -e "accept host(192.168.10.1) and ip_p=1;"
monitor: getting filter (from command line)
monitor: compiling
monitorfilter:
Compiled OK.
monitor: loading
monitor: monitoring (control-C to stop)
[vs_0][fw_0] eth1:I[60]: 192.168.10.1 -> 192.168.7.54 (ICMP) len=60 id=15346
ICMP: type=8 code=0 echo request id=1 seq=68
[vs_0][fw_0] eth1:o[60]: 192.168.10.1 -> 192.168.7.54 (ICMP) len=60 id=15346
ICMP: type=8 code=0 echo request id=1 seq=68
[vs_0][fw_0] eth1:I[60]: 192.168.10.1 -> 192.168.7.54 (ICMP) len=60 id=15348
ICMP: type=8 code=0 echo request id=1 seq=69
[vs_0][fw_0] eth1:o[60]: 192.168.10.1 -> 192.168.7.54 (ICMP) len=60 id=15348
ICMP: type=8 code=0 echo request id=1 seq=69
Now, I dont have the problem fixed, but I at least see the traffic being encrypted coming from the mobile client, which is better than before. See above, how it only traverses 2 phases instead of 4.
This is a good way, in CLI, to know if a packet is being encrypted or not on the Check Point appliance.
No comments:
Post a Comment
Your comment will be reviewed for approval. Thank you for submitting your comments.