Cisco Support Community
Community Member

Keepalives over Checkpoint Firewall


I'm having some problems, with CSS Keepalives over a Checkpoint Firewall.

It is not a CSS Problem, but may anyone expected the same and can help me how i can solve it.

We do some TCP or HTTP Head Keepalives over the Firewall to some Application servers.

The Firewall seems to terminate the TCP Connecten and also the HTTP Requests and the Service is always alive, because the Firewall answert the requests.

The guys who administrate the firewall do not know, why the firewall do this and do not know how to disable that feature.

Has anyone an idea how the firewall must by modified to not answer the keepalives?

This problem does only appear on TCP Port 80. All other TCP Ports work.

Best regards


Cisco Employee

Re: Keepalives over Checkpoint Firewall


seems like the equivalent of Cisco HTTP inspection feature.

Looking on checkpoint website, this features seems to be called Web Intelligence.

However, I do not see how to disable it.

Since you do head keepalive, I believe that if your server is down, the firewall will still accept the HTTP connection but it wont be able to respond for the server and it should return a 500 Error message which should bring the service down.

is not the case ???


Community Member

Re: Keepalives over Checkpoint Firewall

Hello Gilles,

thanks for that fast response.

Not sure if this is the feature.

But my Head Keepalives does not work. Because the Firewall is generating a Error Webpage with a Responsecode of 200 OK

Leets have a look into this:

REQUEST: **************\nGET /monitor/alive?op=css HTTP/1.1\r\n


Accept: */*\r\n

Authorization: Basic U3ZlbkJ1dHplazo=\r\n


RESPONSE: **************\nHTTP/1.0 200\r\n

Pragma: no-cache\r\n

Cache-Control: no-cache\r\n

Content-Type: text/html\r\n

Content-Length: 108\r\n




\nFW-1 at fw1gsb2bln: Failed to connect to the WWW server.\r\n

WWWConnect::Close("","80")\nclosed source port: 2314\r\n


The IP is not configured on any device.

Doing HTTP Get Keepalives would solve this on CSS, but not on CSM and i also want to include more das 256 keepalives per CSS.


Cisco Employee

Re: Keepalives over Checkpoint Firewall

definitely an error on the firewall side.

Clearly they should return a 5xx code if there is an error per the RFC.

You should contact your Checkpoint vendor or replace the firewall with a Cisco one :-)


CreatePlease to create content