Monday, December 2, 2019

No TCP-SYN packet through Checkpoint - only for Windows machines?! pcap link inside!

I have a particularity weird problem,

Clients - [SNAT-CPE(111.111.220.38)] -- Internet -- [CHECKPOINT] - Webserver(111.111.217.51)

PCAP files (anonymized), captured on checkpoint external interface: https://drive.google.com/open?id=1xSif_0HrgA1kTcK8-ND-y05byMlMLAy4

  • All client machines are NAT'ed to the same public IP before hitting checkpoint
  • Clients try to access a webserver behind checkpoint.
  • Only macos/linux machines can access webserver
  • All machines can icmp ping webserver.

  • Windows machines fail 3-way TCP handshake
  • TCP SYN packet is never seen on server nor on internal Checkpoint interface.
  • Windows TCP SYN packet is silently dropped in Checkpoint??

  • All traffic can be seen on checkpoint external interface.

  • No "L7" inspection.
  • Nothing in logs.

I have made a rule at the top of checkpoint firewall policy to match my client nat'ed address and webserver address, just accept and log, but still nothing from Windows client. Linux/MacOS works as expected.



No comments:

Post a Comment