Hi all, I have a CSG server (10.10.10.2) in DMZ that authenticate via RSA server (192.168.55.5) in LAN. The firewall interfaces are Internet 203.x.x.1/28, LAN 192.168.55.1/24, DNZ 10.10.10.1/24.
I am migrating the current Symantec firewall to Checkpoint NG AI R55 with Secure Platform. Before migration, this Citrix CSG and RSA infratructure is working fine. After the cutover, I notice the CSG is having difficualty to communication with RSA server. On the firewall. LAN interface (192.168.55.1), tcpdump showing 10.10.10.2 are sending udp packets to 192.168.55.5 on port 5500 (showing on smartview tracker as well) and 192.168.55.5 is returning packet to 10.10.10.2 as well. However, on the firewall DMZ interface (10.10.10.10.1), I can only see the packets going from 10.10.10.2 to 192.168.55.5 but not vice versa. And I dont seen any packets drop on the smartview tracker (I have logged all rules and both implied rules and antispoofing). I have gone through the rulebase, make sure not NAT translation between DMZ and LAN, also try to adjust options in global properties and smart defence but without any luck. At the same time, tcp and icmp traffic seem to be fine from each side. Anyone has seen this before or any idea what it is? Thanks, Phil
