Re: [FW-1] Odd http requests after upgrade to R75.20

[Eamonn Twohig]

The actual IP, no. We have a /27 available, so say the gw is at 1.2.3.4,
well the web server is NAT'ed behind 1.2.3.5, ftp is behind 1.2.3.6,
smtp is behind 1.2.3.7, dns is behind 1.2.3.8, etc. 

For a test, we tried NAT'ing the web server behind 1.2.3.9, and we went
with auto-NAT this time as we usually manually NAT items, but we got
exactly the same results. Consistency!

Thanks,
eamonn

-----Original Message-----
From: Mailing list for discussion of Firewall-1
[mailto:FW-1-MAILINGLIST@AMADEUS.US.CHECKPOINT.COM] On Behalf Of Gary
Scott
Sent: 30 September 2011 16:55
To: FW-1-MAILINGLIST@AMADEUS.US.CHECKPOINT.COM
Subject: Re: [FW-1] Odd http requests after upgrade to R75.20

Are you using the FW's external IP for service NAT?



________________________________
From: Eamonn Twohig <etwo...@qcdata.com>
To: FW-1-MAILINGLIST@AMADEUS.US.CHECKPOINT.COM
Sent: Thursday, September 29, 2011 7:03 PM
Subject: [FW-1] Odd http requests after upgrade to R75.20

Hi all,

We've a bit of an oddity here after upgrading our firewalls to R75.20
from R65 HFA70. Management Server was done about 10 days ago whilst
gateways were done in the last two days.

Since the upgrade of one of the gateways yesterday, everything seemed to
be working as previous until we discovered that no-one could access our
website anymore. A quick investigation, using tcpdump and fw monitor,
revealed that the firewall was dropping all https requests when hitting
the external IP of the web server. Which is the weird thing, because
no-one is sending https requests, only http. It seems that the firewall
is somehow converting http requests to https and then obviously dropping
them as our rulebase will only allow http. There are no problems
accepting and forwarding smtp traffic; there are no problems for anyone
doing udp lookups against our dns server; no problems for anyone hitting
our ftp server. Only the web server is causing us grief.


We've opened a support case with Check Point but so far, they are
stumped. This mailing list has some experienced people as members
though, so thought I'd ask ye too. Has anyone seen something like this
before?

If all resources on the DMZ were inaccessible then that would make more
sense, or at least make it easier to troubleshoot, but this specific
issue with inbound http requests getting dropped as https is a little
odd.

Thanks,
Eamonn 

-------------------------- 
Sent from my BlackBerry Device 



Confidentiality Notice: This electronic message contains information
that is privileged or confidential, is the property of QC Data, and is
intended only for the use of the intended recipient. If you are not the
intended recipient, you are hereby notified that disclosure, copying,
distribution or use of this information is prohibited. If you have
received this message in error, please delete the original message and
any copy of it in your possession and notify us by telephone or email
immediately.

QC Data (Ireland) Limited

Registered in Ireland, Number: 158091
VAT Registration No.: IE 6556091K

Registered office: 70 Sir John Rogersons Quay, Dublin 2, Republic of
Ireland.


Scanned by Check Point Total Security Gateway.

=================================================
To set vacation, Out-Of-Office, or away messages,
send an email to lists...@amadeus.us.checkpoint.com
in the BODY of the email add:
set fw-1-mailinglist nomail
=================================================
To unsubscribe from this mailing list,
please see the instructions at
http://www.checkpoint.com/services/mailing.html
=================================================
If you have any questions on how to change your
subscription options, email
fw-1-ow...@ts.checkpoint.com
=================================================

Scanned by Check Point Total Security Gateway.

Scanned by Check Point Total Security Gateway.

=================================================
To set vacation, Out-Of-Office, or away messages,
send an email to lists...@amadeus.us.checkpoint.com
in the BODY of the email add:
set fw-1-mailinglist nomail
=================================================
To unsubscribe from this mailing list,
please see the instructions at
http://www.checkpoint.com/services/mailing.html
=================================================
If you have any questions on how to change your
subscription options, email
fw-1-ow...@ts.checkpoint.com
=================================================



Confidentiality Notice: This electronic message contains information that is 
privileged or confidential, is the property of QC Data, and is intended only 
for the use of the intended recipient. If you are not the intended recipient, 
you are hereby notified that disclosure, copying, distribution or use of this 
information is prohibited. If you have received this message in error, please 
delete the original message and any copy of it in your possession and notify us 
by telephone or email immediately.

QC Data (Ireland) Limited

Registered in Ireland, Number: 158091
VAT Registration No.: IE 6556091K

Registered office: 70 Sir John Rogerson’s Quay, Dublin 2, Republic of Ireland.

IƧ��[�(^rC��{S�֥I�.�+r�^���

=================================================
To set vacation, Out-Of-Office, or away messages,
send an email to lists...@amadeus.us.checkpoint.com
in the BODY of the email add:
set fw-1-mailinglist nomail
=================================================
To unsubscribe from this mailing list,
please see the instructions at
http://www.checkpoint.com/services/mailing.html
=================================================
If you have any questions on how to change your
subscription options, email
fw-1-ow...@ts.checkpoint.com
=================================================