Your customer receives an alert from their network operation center, they are seeing ARP and
Ping scans of their network originating from the firewall. What could be the reason for the
behaviour?
A.
Check Point’s Antibot blade performs anti-bot scans of the surrounding network.
B.
Check Point firewalls probe adjacent networking devices during normal operation.
C.
IPS is disabled on the firewalls and there is a known OpenSSL vulnerability that allows a
hacker to cause a network scan to originate from the firewall.
D.
One or both of the firewalls in a cluster have stopped receiving CCP packets on an interface.
D. One or both of the firewalls in a cluster have stopped receiving CCP packets on an interface.
sk92456
By design, when a cluster member does not receive CCP packets from a peer member (or not able to send its own CCP packets), cluster member uses probing mechanism in order to determine the problematic interface and the problematic member. All cluster members send series of ARP Requests and series of ICMP Requests to all hosts on the subnet.
Since interfaces on all cluster members are OK, these series of ARP Requests and ICMP Requests might confuse ARP tables on Layer 2 / Layer 3 devices.