• Categories
  • Recent
  • Tags
  • Popular
  • Users
  • Search
  • Register
  • Login
Netgate Discussion Forum
  • Categories
  • Recent
  • Tags
  • Popular
  • Users
  • Search
  • Register
  • Login

Ignore Checkpoint CCP in firewall rules

Scheduled Pinned Locked Moved Firewalling
7 Posts 3 Posters 1.0k Views
Loading More Posts
  • Oldest to Newest
  • Newest to Oldest
  • Most Votes
Reply
  • Reply as topic
Log in to reply
This topic has been deleted. Only users with topic management privileges can see it.
  • M
    mamawe
    last edited by Feb 4, 2020, 10:18 AM

    Checkpoint CCP sends many datagrams per second from 0.0.0.0:8116/udp to $some_address:8116/udp on all interfaces.

    My problem is that there is a checkpoint cluster with interfaces on the same segment as a pfSense firewall.
    This is clogging the firewall logs with messages from the block bogon rule on that interface.

    The bogons table contains 0.0.0.0/8 and 68 other addresses.

    I would like to keep the blog bogon rule active on this interface but quiet, i.e. no logs from this rule.

    Does anyone know how I can achieve this?

    I tried to create a separate rule to block this traffic quietly, but wasn't able to place it above the block bogon rule.

    Thanks,
    Mathias

    N 1 Reply Last reply Feb 4, 2020, 10:31 AM Reply Quote 0
    • N
      NogBadTheBad @mamawe
      last edited by NogBadTheBad Feb 4, 2020, 10:39 AM Feb 4, 2020, 10:31 AM

      @mamawe

      https://downloads.checkpoint.com/fileserver/SOURCE/direct/ID/5990/FILE/sk31085_Cluster_Control_Protocol_Functionality.pdf

      Its either braodcast or multicast, do all the packets share a common port ?

      Is this on the WAN interface or LAN ?

      Andy

      1 x Netgate SG-4860 - 3 x Linksys LGS308P - 1 x Aruba InstantOn AP22

      M 1 Reply Last reply Feb 4, 2020, 11:32 AM Reply Quote 0
      • M
        mamawe @NogBadTheBad
        last edited by Feb 4, 2020, 11:32 AM

        Its either braodcast or multicast, do all the packets share a common port ?

        Yes, all packets have Port 8116/udp as source and as destination port.

        Is this on the WAN interface or LAN ?

        It's on the WAN interface.

        1 Reply Last reply Reply Quote 0
        • N
          NogBadTheBad
          last edited by NogBadTheBad Feb 4, 2020, 4:07 PM Feb 4, 2020, 1:21 PM

          The only thing I could suggest is disabling the auto bogon rule, creating your own rule at the top and set it to not log then creating your own bogon rule bogon rule beneath it.

          @jimp is there any way to create a firewall rule by hand using the bogons & bogonsv6 tables rather than cutting and pasting the entries into an alias?

          I'm guessing that you could use pfBlockerNG-dev.

          Andy

          1 x Netgate SG-4860 - 3 x Linksys LGS308P - 1 x Aruba InstantOn AP22

          1 Reply Last reply Reply Quote 1
          • J
            jimp Rebel Alliance Developer Netgate
            last edited by Feb 4, 2020, 1:23 PM

            No, but you can just uncheck the box for logging bogons on Status > System Logs, Settings tab.

            Remember: Upvote with the 👍 button for any user/post you find to be helpful, informative, or deserving of recognition!

            Need help fast? Netgate Global Support!

            Do not Chat/PM for help!

            N 1 Reply Last reply Feb 4, 2020, 1:26 PM Reply Quote 0
            • N
              NogBadTheBad @jimp
              last edited by NogBadTheBad Feb 4, 2020, 1:39 PM Feb 4, 2020, 1:26 PM

              Ah found a bogon list that may be is pfBlockerNG-dev compatible, if you don't want to switch off logging of all bogons.

              https://www.team-cymru.org/Services/Bogons/fullbogons-ipv4.txt

              https://www.team-cymru.org/Services/Bogons/fullbogons-ipv6.txt

              Andy

              1 x Netgate SG-4860 - 3 x Linksys LGS308P - 1 x Aruba InstantOn AP22

              1 Reply Last reply Reply Quote 0
              • M
                mamawe
                last edited by mamawe Feb 4, 2020, 2:31 PM Feb 4, 2020, 2:25 PM

                This is what I did:

                First I took the current bogon list from the pfSense in the CLI with

                pfctl -t bogons -T show

                Then I changed to the web interface and created a Firewall Alias IP named handmade_bogon_list with just the first network.

                Back in the CLI I called viconfig and added the remaining networks from the list. This is faster for me than pasting it in the webinterface.

                Now I could add a blocking rule using handmade_bogon_list in the source that logs.
                In front of this rule I've put a special blocking rule for port 8116/udp that doesn't log.
                At last I unchecked the box for blocking bogons at Interfaces > WAN > Reserved Networks to make this work.

                This setup already showed me that there is a DHCP client in that network that needs to be tracked down.

                Thanks for all your input.

                1 Reply Last reply Reply Quote 0
                7 out of 7
                • First post
                  7/7
                  Last post
                Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.
                  This community forum collects and processes your personal information.
                  consent.not_received