I have a public IP mapped to two different hosts behind the firewall. One of these works, and the second one is not seen by the firewall log at all. I'm hoping someone has some ideas on possible causes.
Let there be a public IP. The firewall rules say that some machines can connect to this IP on service A and another group of machines can connect on service B.
The public IP is entered in the routing table to move the packet to a router inside that knows how to get to the two destination subnets.
The NAT rules convert the public IP when the service is A to an IP on an internal host. That works. The NAT rule below it converts the public IP when the service is B to a different IP on an internal host. Both of those internal hosts are directly connected to the router that the routing rule sends the packet to.
I put a sniffer on the external interface of the firewall, and I clearly see the incoming SYN to the public IP on the destination port for service B. But the firewall log shows *nothing*. No rule is ever invoked. What would this indicate?
Is incoming FTP handled in some special way by Checkpoint?