Ignore Checkpoint CCP in firewall rules
-
Checkpoint CCP sends many datagrams per second from 0.0.0.0:8116/udp to $some_address:8116/udp on all interfaces.
My problem is that there is a checkpoint cluster with interfaces on the same segment as a pfSense firewall.
This is clogging the firewall logs with messages from the block bogon rule on that interface.The bogons table contains 0.0.0.0/8 and 68 other addresses.
I would like to keep the blog bogon rule active on this interface but quiet, i.e. no logs from this rule.
Does anyone know how I can achieve this?
I tried to create a separate rule to block this traffic quietly, but wasn't able to place it above the block bogon rule.
Thanks,
Mathias -
https://downloads.checkpoint.com/fileserver/SOURCE/direct/ID/5990/FILE/sk31085_Cluster_Control_Protocol_Functionality.pdf
Its either braodcast or multicast, do all the packets share a common port ?
Is this on the WAN interface or LAN ?
-
Its either braodcast or multicast, do all the packets share a common port ?
Yes, all packets have Port 8116/udp as source and as destination port.
Is this on the WAN interface or LAN ?
It's on the WAN interface.
-
The only thing I could suggest is disabling the auto bogon rule, creating your own rule at the top and set it to not log then creating your own bogon rule bogon rule beneath it.
@jimp is there any way to create a firewall rule by hand using the bogons & bogonsv6 tables rather than cutting and pasting the entries into an alias?
I'm guessing that you could use pfBlockerNG-dev.
-
No, but you can just uncheck the box for logging bogons on Status > System Logs, Settings tab.
-
Ah found a bogon list that
may beis pfBlockerNG-dev compatible, if you don't want to switch off logging of all bogons.https://www.team-cymru.org/Services/Bogons/fullbogons-ipv4.txt
https://www.team-cymru.org/Services/Bogons/fullbogons-ipv6.txt
-
This is what I did:
First I took the current bogon list from the pfSense in the CLI with
pfctl -t bogons -T show
Then I changed to the web interface and created a Firewall Alias IP named handmade_bogon_list with just the first network.
Back in the CLI I called
viconfig
and added the remaining networks from the list. This is faster for me than pasting it in the webinterface.Now I could add a blocking rule using handmade_bogon_list in the source that logs.
In front of this rule I've put a special blocking rule for port 8116/udp that doesn't log.
At last I unchecked the box for blocking bogons at Interfaces > WAN > Reserved Networks to make this work.This setup already showed me that there is a DHCP client in that network that needs to be tracked down.
Thanks for all your input.