https://community.checkpoint.com/t5/Firewall-and-Security-Management/let-ip-option-field-quot-security-quot-pass-the-gateway-and-do/m-p/51576#M12998 <P>Hi Community,</P><P>I am struggling with a unusual customer request. They are using the IP option "Security [130]" (RFC1108) in self-written software to tag special tcp-packets in the header. Now they want these packets to pass through the r80.20-gateway and implement filtering based on this IP option field.</P><P>Based on&nbsp;<SPAN>sk62082 (How to allow TCP/UDP packets with IP options through Check Point Security Gateway) it should be possible to let packets with these options passing the gateway.</SPAN></P><P><SPAN>Before implementing sk62082:<BR />@;6765544;[SIM-206293920];handle_packet_do: stripping IP options failed, conn: &lt;172.30.0.2,1024,10.125.231.130,10000,6&gt;;<BR /></SPAN></P><P><SPAN>Changes based on sk62082 in $FWDIR/lib/table.def: </SPAN></P><P><SPAN><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="2019-04-23 08_19_37-admin@gw-2582f3_~.png" style="width: 287px;"><img src="https://community.checkpoint.com/t5/image/serverpage/image-id/929iA462B2EC216C0ACA/image-size/large?v=v2&amp;px=999" role="button" title="2019-04-23 08_19_37-admin@gw-2582f3_~.png" alt="2019-04-23 08_19_37-admin@gw-2582f3_~.png" /></span></SPAN></P><P><SPAN>After implementing sk62082 (changed table.def &amp; policy install):<BR />@;6768953;[fw4_0];fw_log_drop_ex: Packet proto=6 172.30.0.2:1024 -&gt; 10.125.231.130:10000 dropped by fw_ipopt_restore Reason: fw_ipopt_restore failed;<BR /></SPAN></P><P><SPAN>So even the simple forwarding of this security-field is failing on r80.20 (contrary to the sk). Any idea why the ipopt_restore is failing?</SPAN></P><P><SPAN>The packet looks like this:</SPAN><SPAN><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="2019-04-23 11_56_51-Kali-Linux - Konsole – VMware ESXi.png" style="width: 999px;"><img src="https://community.checkpoint.com/t5/image/serverpage/image-id/930i1AAFDFBECD960B15/image-size/large?v=v2&amp;px=999" role="button" title="2019-04-23 11_56_51-Kali-Linux - Konsole – VMware ESXi.png" alt="2019-04-23 11_56_51-Kali-Linux - Konsole – VMware ESXi.png" /></span></SPAN></P><P>And wireshark (on sending client) is successfully detection the IP option "Security":</P><P><SPAN><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="2019-04-23 11_57_40-Kali-Linux - Konsole – VMware ESXi.png" style="width: 651px;"><img src="https://community.checkpoint.com/t5/image/serverpage/image-id/931i31A59464DA6F16E5/image-size/large?v=v2&amp;px=999" role="button" title="2019-04-23 11_57_40-Kali-Linux - Konsole – VMware ESXi.png" alt="2019-04-23 11_57_40-Kali-Linux - Konsole – VMware ESXi.png" /></span><BR /></SPAN></P><P><SPAN>For the 2nd part (the filtering) I am thinking about three possible options:</SPAN></P><P><SPAN>- 1.: special protocol type (maybe INSPECT code)<BR />- 2.: custom application (based on&nbsp;sk103051)<BR />- 3.: IPS signature</SPAN></P><P><SPAN>Has anyone of you worked with IP options on CheckPoint before? And is it even possible to filter based on a IP option field?</SPAN></P><P><SPAN>Based on the notes at the end of sk62082 (</SPAN></P><P><SPAN>"</SPAN>SecurePlatform OS / Gaia OS kernel does not strip IP options. Therefore, the packet arrives to Check Point kernel with IP options, and is dropped."</P><P>) I would think that the IP options are not stripped and therefor should be available for detection/filtering. But the following still shows a chain called "ipopt_strip":<BR /><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="2019-04-23 12_08_58-ipopt_strip - Google-Suche.png" style="width: 618px;"><img src="https://community.checkpoint.com/t5/image/serverpage/image-id/932i3BD0963CBB1C811F/image-size/large?v=v2&amp;px=999" role="button" title="2019-04-23 12_08_58-ipopt_strip - Google-Suche.png" alt="2019-04-23 12_08_58-ipopt_strip - Google-Suche.png" /></span></P><P>Any help is kindly appreciated!</P><P>&nbsp;</P><P>Kind regards,<BR />Ben Hartmann<BR />Security Consultant<BR />Axians IT Security<BR />Germany</P> Tue, 23 Apr 2019 10:14:00 GMT Ben_Hartmann 2019-04-23T10:14:00Z https://community.checkpoint.com/t5/Firewall-and-Security-Management/let-ip-option-field-quot-security-quot-pass-the-gateway-and-do/m-p/51576#M12998 <P>Hi Community,</P><P>I am struggling with a unusual customer request. They are using the IP option "Security [130]" (RFC1108) in self-written software to tag special tcp-packets in the header. Now they want these packets to pass through the r80.20-gateway and implement filtering based on this IP option field.</P><P>Based on&nbsp;<SPAN>sk62082 (How to allow TCP/UDP packets with IP options through Check Point Security Gateway) it should be possible to let packets with these options passing the gateway.</SPAN></P><P><SPAN>Before implementing sk62082:<BR />@;6765544;[SIM-206293920];handle_packet_do: stripping IP options failed, conn: &lt;172.30.0.2,1024,10.125.231.130,10000,6&gt;;<BR /></SPAN></P><P><SPAN>Changes based on sk62082 in $FWDIR/lib/table.def: </SPAN></P><P><SPAN><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="2019-04-23 08_19_37-admin@gw-2582f3_~.png" style="width: 287px;"><img src="https://community.checkpoint.com/t5/image/serverpage/image-id/929iA462B2EC216C0ACA/image-size/large?v=v2&amp;px=999" role="button" title="2019-04-23 08_19_37-admin@gw-2582f3_~.png" alt="2019-04-23 08_19_37-admin@gw-2582f3_~.png" /></span></SPAN></P><P><SPAN>After implementing sk62082 (changed table.def &amp; policy install):<BR />@;6768953;[fw4_0];fw_log_drop_ex: Packet proto=6 172.30.0.2:1024 -&gt; 10.125.231.130:10000 dropped by fw_ipopt_restore Reason: fw_ipopt_restore failed;<BR /></SPAN></P><P><SPAN>So even the simple forwarding of this security-field is failing on r80.20 (contrary to the sk). Any idea why the ipopt_restore is failing?</SPAN></P><P><SPAN>The packet looks like this:</SPAN><SPAN><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="2019-04-23 11_56_51-Kali-Linux - Konsole – VMware ESXi.png" style="width: 999px;"><img src="https://community.checkpoint.com/t5/image/serverpage/image-id/930i1AAFDFBECD960B15/image-size/large?v=v2&amp;px=999" role="button" title="2019-04-23 11_56_51-Kali-Linux - Konsole – VMware ESXi.png" alt="2019-04-23 11_56_51-Kali-Linux - Konsole – VMware ESXi.png" /></span></SPAN></P><P>And wireshark (on sending client) is successfully detection the IP option "Security":</P><P><SPAN><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="2019-04-23 11_57_40-Kali-Linux - Konsole – VMware ESXi.png" style="width: 651px;"><img src="https://community.checkpoint.com/t5/image/serverpage/image-id/931i31A59464DA6F16E5/image-size/large?v=v2&amp;px=999" role="button" title="2019-04-23 11_57_40-Kali-Linux - Konsole – VMware ESXi.png" alt="2019-04-23 11_57_40-Kali-Linux - Konsole – VMware ESXi.png" /></span><BR /></SPAN></P><P><SPAN>For the 2nd part (the filtering) I am thinking about three possible options:</SPAN></P><P><SPAN>- 1.: special protocol type (maybe INSPECT code)<BR />- 2.: custom application (based on&nbsp;sk103051)<BR />- 3.: IPS signature</SPAN></P><P><SPAN>Has anyone of you worked with IP options on CheckPoint before? And is it even possible to filter based on a IP option field?</SPAN></P><P><SPAN>Based on the notes at the end of sk62082 (</SPAN></P><P><SPAN>"</SPAN>SecurePlatform OS / Gaia OS kernel does not strip IP options. Therefore, the packet arrives to Check Point kernel with IP options, and is dropped."</P><P>) I would think that the IP options are not stripped and therefor should be available for detection/filtering. But the following still shows a chain called "ipopt_strip":<BR /><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="2019-04-23 12_08_58-ipopt_strip - Google-Suche.png" style="width: 618px;"><img src="https://community.checkpoint.com/t5/image/serverpage/image-id/932i3BD0963CBB1C811F/image-size/large?v=v2&amp;px=999" role="button" title="2019-04-23 12_08_58-ipopt_strip - Google-Suche.png" alt="2019-04-23 12_08_58-ipopt_strip - Google-Suche.png" /></span></P><P>Any help is kindly appreciated!</P><P>&nbsp;</P><P>Kind regards,<BR />Ben Hartmann<BR />Security Consultant<BR />Axians IT Security<BR />Germany</P> Tue, 23 Apr 2019 10:14:00 GMT https://community.checkpoint.com/t5/Firewall-and-Security-Management/let-ip-option-field-quot-security-quot-pass-the-gateway-and-do/m-p/51576#M12998 Ben_Hartmann 2019-04-23T10:14:00Z https://community.checkpoint.com/t5/Firewall-and-Security-Management/let-ip-option-field-quot-security-quot-pass-the-gateway-and-do/m-p/51771#M12999 When you say “implement filtering” what do you mean specifically?<BR />Permit/deny packets based on the presence of this IP Option in the packet?<BR />Note that by default we drop packets with IP Options set.<BR />We can allow packets with specific IP Options set to be inspected as per the normal policy.<BR /><BR />The fact we can’t restore IP Options to the packet suggests a bug that will need to be further investigation by the TAC. Wed, 24 Apr 2019 19:28:07 GMT https://community.checkpoint.com/t5/Firewall-and-Security-Management/let-ip-option-field-quot-security-quot-pass-the-gateway-and-do/m-p/51771#M12999 PhoneBoy 2019-04-24T19:28:07Z https://community.checkpoint.com/t5/Firewall-and-Security-Management/let-ip-option-field-quot-security-quot-pass-the-gateway-and-do/m-p/51927#M13000 <P>Yes, I want to permit/deny based on the presence of this IP Option.</P><P>Regarding the restore of IP Option: I will open a ticket with TAC.</P><P>&nbsp;</P><P>Kind regards,<BR />Ben</P> Fri, 26 Apr 2019 06:23:38 GMT https://community.checkpoint.com/t5/Firewall-and-Security-Management/let-ip-option-field-quot-security-quot-pass-the-gateway-and-do/m-p/51927#M13000 Ben_Hartmann 2019-04-26T06:23:38Z