too many internal hosts

[ssphoenix]

Recently I am getting this error on my Checkpoint 4.1, winNT4.0 with sp6a. I believe the pack of the checkpoint is 2. I've done the followings:

- Checked to make sure that the external interface of the firewall config points to the external interface E100B2.
- Checked that the external.if does have the external interface name.
- Clear the nodes file
- Looked at the hosts in the log with FW lichosts. Most of the hosts are internal but found a few external that are not pingable or I cannot track them in anyway.
- Removed the files fwd.h and fwd.hosts

From the firewall I cannot ping anything other then the two interfaces of the box. If the services are shutdown, I can ping everything. The odd thing is that the firewall works fine now but I believe if I don't clear the hosts log, will not.

The firewall has been working for more then 7 months without any problems. No changes have been made to say that something is wrong with the config.

I am about to do is to apply the sp5 on the firewall. However, I've stumbled upon a post where it was advise not to apply sp5 on a winNT sp6a. Is this true?

Is there anything else I can check? I do have enough licenses to cover all my devices. Why in the hosts list shows lots of unknown hosts to my network? How can I get rid of them? All my rules are internal with the exception of few users that are working from home using VPN.

Help would be greatly appreciated.

Thanks.

 

[sharpkings]

It is deffinately seeing the addresses from somewhere on the internal networks and this is pushing you over your licence. Just a couple of things that may be worth a check, Is the VPN a Checkpoint VPN client ? or to an internal MS VPN server ? I have had issues with the MS setup. It seemed that the MS VPN server appeared to leak packets from external connections on to the internal network - these were then seen by the FW and logged as internal hosts. Also have you got any sort of Load Balancer for servers etc internal ? these again seem to cause probs as they spoof the external address in the initial connection setup. Other than these just check that there are no other connections being made to the internal network by other links etc - In my experience the FW appears to see every source address used internally even if it cannot route back to them.

Hope this helps...

 

[ssphoenix]

Thank you for your reply. I use the Checkpoint VPN and do not use any load balancing servers. I am in a relatively small network with around 100 workstations.

I are right and indeed the firewall reads more addresses then necessary. But how to combat that? I've tried several addresses but unable to find their destination as they are not pingable.

I will need to apply the latest service pack. However, as mentioned I heard that their latest pack does not work well on WinNT SP6a. Is this true? I am sure if I apply at lease on of the latest packs, would perhaps solve my problem.

The firewall seems to work ok but I am getting lots of these message in the event viewer which bothers me.

Thank you again.