Checkpoint_error message- Dropped packet forwarded between two external interfaces

Level: - Intermediate
Platform: - checkpoint R61, R62, R65, UTM, VPN-1,Power, nokia IP560, Nokia IP390
Author: - : Dinesh Aggarwal

This article explains the meaning of common checkpoint error message - Dropped packet forwarded between two external interfaces.It is very important to understand the meaning of this error message as it can help you in solving many issues which may otherwise take long time to troubleshoot.

The Problem: - Added a new vlan in the switch and then tried to access internet but internet was not accessible even after allowing internet from that vlan in firewall.

The solution: - Check firewall log. It showed anti spoofing error.

Number:           393645
Date:                24Jul2007
Time:                13:07:52
Product:           VPN-1 Pro/Express
Interface:          eth1c0
Origin:              testfirewall
Type:                Log
Action:             Drop
Protocol:          tcp
Service:            http (80)
Source:             10.100.7.11 (10.100.7.11)
Destination:       jc-in-f99.google.com (64.233.187.99)
Source Port:     32775
Information:      message_info: Address spoofing

The above error message in the checkpoint firewall shows spoofing attack is being detected. Because of this spoofing attack network traffic is being blocked.After adding the network 10.100.7.0/24 in inside interface and spoofing group, this error stopped coming but still internet not accessible and we got the following error in firewall.

Number:           395297
Date:                24Jul2007
Time:                13:11:09
Product:           VPN-1 Pro/Express
Interface:          eth3c0
Origin:               testfirewall
Type:                Log
Action:             Drop
Protocol:          tcp
Service:            http (80)
Source:             10.100.7.11 (10.100.7.11)
Destination:       eh-in-f99.google.com (72.14.207.99)
Source Port:     32778
Information:      message_info: Dropped packet forwarded between two external interfaces

In the smart view tracker, it shows two messages one allowed one blocked from source 10.100.7.11 to google.com

This message means the firewall is not having routes for this new added vlan network. So just add routes in the firewall for this new network (10.100.7.0) and everything works fine.

If you have any suggestions or want to add more to this article do write us an email articles@knowurtech.com

What Next?


If you liked this article, you can share it with others using the following link:


Related Content :