When you suspect Your Checkpoint Firewall is blocking your connection.

Congratulations after all the tests of Pings and Telnets and tracert from different IP addresses and eliminating agents on the endpoint test machine. You have decided that the problem of communication probably comes from the firewall.

In this tutorial, I will show you the basics of how to start checking if the firewall is blocking or interrupt your communication.

  1. First, check the logs to see if packets getting dropped!

2. To really rule out a problem with the firewall rules I suggest creating permit any rule just for testing.


permit any rule

3. Make sure That NAT is configured for the specific VLAN.

4. Every Packet that goes out must go back in, so please check that you have a static route.

5. IPS log, it’s a must!

6. This command gives you more reasones why the packet got dropped from the GUI Version in line 1. connect using SSH to the Firewall GW machine and run this command “fw ctl zdebug + drop | grep X.X.X.X”

7. Check Interface Details for MTU Mismatch or duplex issue or also for CRC errors on the network card

8. Make the Standby Active, I hope your firewall is apart of a cluster if so try to work with the second FW.

  • Command “cphastop” to stop a cluster member from passing traffic. Stops synchronization. (emergency only)

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google photo

You are commenting using your Google account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s

This site uses Akismet to reduce spam. Learn how your comment data is processed.