FireWall-1 FAQ: Debugging "Too Many Internal Hosts Detected" problem
Please note: This content was from when I was operating my FireWall-1 FAQ site, which I stopped operating in August 2005. For some reason people still have links to this stuff on the Internet that people are still clicking on.
I am making this information available again AS IS. Given how old this information is, it is likely wildly inaccurate. I have no plans to update this information.
If you're still running versions of Check Point VPN-1/FireWall-1 where this information is still relevant to you, do yourself a favor and upgrade to a more recent release. If you happen to be running a current release and the information is useful, it's by happenstance :)
I am getting the following message (either as a message on my console or in the Event Log on NT)
Jan 6 14:37:59 mutiara unix: ). Contact your FireWall-1 reseller. Jan 6 14:40:11 mutiara unix: FW-1: too many internal hosts detected Jan 6 14:40:11 mutiara unix: (126.96.36.199 Jan 6 14:40:11 mutiara unix: , 188.8.131.52 Jan 6 14:40:11 mutiara unix: , 184.108.40.206 ...
99% of the time, this problem is caused by not defining the external interface correctly. In the NG release, this is defined in the firewall workstation object, topology tab. In FireWall-1 4.1 and earlier, it is in the file $FWDIR/conf/external.if on the firewall module.
- Edit file $FWDIR/conf/external.if. For more details, see the following FAQ: What to Put in $FWDIR/conf/external.if? 2 Clear the host count according to the following FAQ: Clearing the Internal Host Count
- Bounce FireWall-1 (fwstop ; fwstart)
If the above steps do not correct the problem, the following paragraphs discuss some debugging techniques that you can use:
First, get FireWall-1's list of the internal hosts. Check your messages file for the start of the list:
Jan 6 14:40:11 mutiara unix: FW-1: too many internal hosts detected Jan 6 14:40:11 mutiara unix: (220.127.116.11
and for the end of the list
... Jan 10 17:19:08 mutiara unix: FW-1: only 50 internal hosts allowed
You can also get a list of hosts with the command 'fw lichosts'.
Now take a look at those hosts.
If all hosts are valid internal hosts, then your current license is not sufficient and you will have to upgrade your license.
- If some of the hosts have IP's belong to your internal network but you don't recognize them, then find out if they exist by: ping it, telnet to it ... If they don't exist, we will treat those hosts as unknown hosts. See Monitoring Unknown Hosts
- If all hosts are external hosts, then there are three possibilities: You have specified your internal interface in $FWDIR/conf/external.if or in the topology tab of your firewall. Make correction and restart FireWall-1. There is another path from the external network into your internal network. Some connections originated from the external network are coming in via that path and are coming out through the firewall machine. We will have to monitor this. See Monitoring Unknown Hosts **Someone from inside your network is trying to spoof other IP's addresses. We will have to monitor this. See Monitoring Unknown Hosts
Monitoring Unknown Hosts
Our goal is to be able to get more information about the IP's that are being recorded as internal host by firewall-1. That means we will have to log all connections and then for each unknown IP in the internal host list, find the first connection with the matching IP source.
- Bring up your rule base, in the 'Track' column, select 'Long' for all rules
- Install the current rule base.
- Wait for the error message 'too many internal hosts detected ...'. At that time, extract the list of internal hosts. Then start matching against entries in the log file.