Tricks to diag what rules or routes or events or action are blocking traffic diag debug flow filter add 10.212.134.200 diag debug flow show console enable diag debug flow show function-name enable diag debug flow trace start 10000 diag debug enable diag debug reset diag debug flow filter clear diag debug flow show function console disable diag debug flow show function-name disable

Continue reading

I do not know if some of you have had such a problem with Checkpoint Firewall, but every time a Manual Nat rule needs to be created, some administrators usually have this kind of problem. In the SK30197 there are some links about Proxy ARP Configuration Steps: This configuration is based on two steps: 172.16.5.20 00:B4:F3:A8:C1:33  A brief summary of “vi” editor To access command mode in VI, press ESC i – Insert text before cursor

Continue reading

Check Point

默认从Int到Ext的流量没有限制,只需要做Nat behind Gateway即可,也就是让内部主机有个外部地址方便通信。但从Ext到Int的流量是有限制的,需要在防火墙访问列表中添加Rule。 两种NAT方式: Static:1对1映射。 Hide:将一个或多个内网IP隐藏在本CheckPoint入口网关(或某特定IP)后,类似PAT,只能从内部发起连接,如10.1.1.0 10.1.1.2-10.2.2.1 ext,则10.1.1.0网段的所有主机都映射到10.2.2.1上。 当从外部去连某台内部主机的时候/服务端口号不能修改的时候,只能使用STATIC模式。 两种配置方式: 自动:在HOST NODE中配置的NAT为自动方式,选Add automatic Address Translation Rule。 手动:在NAT TAB中配置详细的手动NAT规则。 NAT 优先顺序(一个用完用另一个): Static NAT IP Pool NAT Hide NAT IP Pool NAT 可以对IPSec, GRE, IGMP等进行处理,适合VPN,而Hide NAT只能处理TCP, UDP和ICMP。 配置中的自动配置ISP冗余模式只在确有两条以上ISP接口的情况下会生效。 Persistency by Service/Server:强制防火墙记住第一次负责处理某数据情况,每次都以同一方法处理同一个数据请求。所以TIME OUT是必要的,以免等待过长。 具体操作中需要两条RULE,一条用于告知防火墙对特定数据进行负载均衡。另一条用于特定端口或流量的通行定义。

Continue reading

Xbeam

unix su (进入Xbeam unix配置) rsh extfw_1/intfw_1 (进入FW模块) show run -flat tcpdump -i exvt299 vlan and host 10.10.10.1 tcpdump -i exvt299 vlan and net 10.10.10.0 configure vap-group intfw xslinux_v5 load-balance-vap-list 1 2 3 4 5 6 7 8 9 10 configure vap-group intfw xslinux_v5 no rp-filter #Disable RP filteringconfigure vap-group intfw xslinux_v5 ip-flow-rule intfw_lb #Configure a default IP flow rule for the VAP groupconfigure vap-group intfw xslinux_v5 ip-flow-rule intfw_lb action load-balance #Set the IP flow rule action to load-balance traffic to all available VAP membersconfigure vap-group intfw xslinux_v5 ip-flow-rule intfw_lb activate

Continue reading

Author's picture

LuLU

Love coding and new technologies

Cloud Solution Consultant

Canada