credit card term traffic going out wrong firebox
XTM 515 v 12.1.3u3 (old)
M370 v 12.4.1 B595401 (new)
WSM / FSM 12.5.3
We're upgrading our firewalls; we're going from a XTM 515 to a M370.
I recreated the policy's for our CCMachines to duplicate what was in our XTM firewall to our M370.
Just in the past couple of days I changed the 'default' gateway of our CC Machines from pointing to our XTM to point to our M370.
After getting all the users / equipment "default gateways" pointed at my new M370 firewall I shutdown the XTM.
The problem I'm struggling with is the CCMachines won't process cards or do a "Statement Settlement" at the end of the day through the M370.
If I just turn the XTM 'on' without changing any default gateways back to point to the XTM the CCMachines process cards.
So, my CCMachines Default gateway points to my M370 but it's communicating out my XTM.
These terminals are on the same trusted network as my Pc's and those are working fine.
To make the scenario worse one of the CCMachines works, they are all setup to run through the same policy.
** we used to have two XTM 515's, based on the users/equipment default gateway, that would determine which firebox your traffic went out. Now we're using just one firebox and everything uses the same default gateway.
What am I missing here?
Where should I be looking?
Comments
Could be a MAC addr cache issue on the problem CC machines.
A reboot of them would resolve this.
Make sure that you are logging on both firewalls the policy which allows out the CC machine traffic so that you know when each CC machine starts to send packets out the correct firewall.
@Bruce_Briggs
Thank you for your input.
I did reboot a couple of the CC machines but not for the reasons you suggest. I thought maybe they needed a reboot to save the changes properly.
After hours I did go to all my network switches and both firewalls and shut them down / reboot them, hoping to clear out any left over ARP Cache that might be causing me the issues. (I left the XTM off).
Temporarily I'm leaving the XTM running so they can process CC's, while I try to monitor the logs to see what's happening.
Anything in the CC software setup which would point to a connection gateway which is the old firewall interface IP addr?
You can do packet captures on a firewall interface using TCP Dump.
You can set advanced options to specify the IP addr to capture, etc.
FSM:
https://www.watchguard.com/help/docs/help-center/en-US/Content/en-US/Fireware/fsm/log_message_learn_more_wsm.html
Web UI:
https://www.watchguard.com/help/docs/help-center/en-US/Content/en-US/Fireware/system_status/stats_diagnostics_tasks_web.html
Update;
I fixed / updated my Dimension this weekend. (Server went sideways a couple of weeks ago and I couldn't log in).
Now that I could see my log history again, I noticed that the CC machines weren't being listed/seen in either firewall!??
So, by chance I filtered by the 'old' IP address of the CC machine. Low and behold there it was. Even though I changed/ re-IP'd our network weeks ago these machines kept there old settings in the background.
I had to go to each CC Machine change the settings to DHCP save and reboot; change the settings back to Static save and reboot. Now the new IP's are working, going out the new M370.
Thanks again Bruce.