Please help with cpstop;cpstart on Secureplatform Enforcement Module

Email lists > CheckPoint Firewall-1 discussion

Thread: Please help with cpstop;cpstart on Secureplatform Enforcement Module

Search this list only Search all lists
Please help with cpstop;cpstart on Secureplatform Enforcement Module
United States	2007-07-31 07:42:25
I need help on this issue: I have SPLAT enforcement module with two interfaces, Internal and External. This SPLAT box is being managed by a Provider-1 SPLAT (manager+container). Everything is running NGx R61 with HFA_01. Everything is running on EVAL license. Internal interface has an IP of 10.100.109.2/24 with the ClusterXL IP to be 10.100.109.1. The External IP address is 129.174.1.23/24 with the ClusterXL IP is 129.174.1.22. Anti-spoofing is defined properly. Under the global properties, I have automatic ARP, nat on the destination, etc...By the way, even though I only have a single firewall, I setup the firewall with ClusterXL in Active/Active in Unicast with the intention that I will add another firewall into clusterXL next week. I have a very simple rule: Any Any Accept log I have a linux host behind the Internal interface with IP 10.100.109.12 and it is NATted to 129.174.1.12. Host 10.100.109.12 has its default gateway as 10.100.109.1 Once I push the policy, hosts residing on the External CAN ping the host 129.174.1.12. So far so good. However, if I do "cpstop;cpstart" on the SPLAT enforcement module, hosts residing on the External network CAN NOT ping host 129.174.1.12. Several attempts to push the policy did not sovle it. When I do "fw ctl arp" on the SPLAT box, I see this: [EM-SPLAT-1-P]# fw ctl arp (129.174.1.12) at 00-a0-c9-e1-05-b8 interface 129.174.1.23 (129.174.1.11) at 00-a0-c9-e1-05-b8 interface 129.174.1.23 [EM-SPLAT-1-P]# It means that my static NAT is correct but hosts on the External network CAN NOT ping the host 129.174.1.12. The only way to fix this is to REBOOT the SPLAT box. Is this normal behavior for SPLAT enforcement module? I've never this with Nokia IP appliances. Can someone clarify this? --------------------------------- Shape Yahoo! in your own image. Join our Network Research Panel today! ================================================= To set vacation, Out-Of-Office, or away messages, send an email to LISTSERVamadeus.us.checkpoint.com in the BODY of the email add: set fw-1-mailinglist nomail ================================================= To unsubscribe from this mailing list, please see the instructions at http: //www.checkpoint.com/services/mailing.html ================================================= If you have any questions on how to change your subscription options, email fw-1-ownerts.checkpoint.com =================================================

[1]

about | contact Other archives ( Real Estate discussion Medical topics )

Mailing lists