topic Re: first tcp syn packet is failed in Firewall and Security Management

first tcp syn packet is failed

umar7 — Wed, 05 Apr 2023 08:26:23 GMT

Re: first tcp syn packet is failed

Chris_Atkinson — Fri, 20 Jan 2023 09:30:25 GMT

Which versions/ JHF is the system in question?

Generally speaking this topic has been covered extensively here previously even including recent hotfixes / half-closed timer settings for similar

Re: first tcp syn packet is failed

G_W_Albrecht — Fri, 20 Jan 2023 10:41:54 GMT

I would consult TAC as this is VSX and First packet isn't syn rather sounds like a config error !

See sk117374:

It is possible to override the "Out of State" settings in the Global Properties on the Security Gateway by changing the values of the relevant kernel parameters on-the-fly.

The above procedure is only temporary and will not survive a reboot, restart of Check Point services (cpstop;cpstart, or cprestart), or policy installation.

While it is possible to make this setting permanent, this is strongly disapproved ! Why ? You will only cover an error in configuration that better is generally fixed, and sk117374 adds:

The implications of changing the TCP and ICMP out of state inspection settings should be fully understood before altering them.

Re: first tcp syn packet is failed

the_rock — Fri, 20 Jan 2023 14:37:37 GMT

I agree with @G_W_Albrecht , probably better to consult with TAC as its VSX.

Re: first tcp syn packet is failed

PhoneBoy — Fri, 20 Jan 2023 19:50:20 GMT

You're making a change in a way that is not persistent.
You can disable it for a specific VS (or gateway) using: https://supportcenter.checkpoint.com/supportcenter/portal?eventSubmit_doGoviewsolutiondetails=&solutionid=sk102491&partition=Advanced&product=Quantum

As noted here, this is generally not recommended and has some security implications.
It's better to configure a specific exception (versus disabling this globally for the gateway) using this procedure: https://supportcenter.checkpoint.com/supportcenter/portal?eventSubmit_doGoviewsolutiondetails=&solutionid=sk11088&partition=Advanced&product=Quantum

Re: first tcp syn packet is failed

umar7 — Wed, 25 Jan 2023 06:57:49 GMT

thanks for the responce guys

Re: first tcp syn packet is failed

G_W_Albrecht — Wed, 08 Feb 2023 13:27:59 GMT

Did you contact TAC or how did you proceed after the discussion here ?

Re: first tcp syn packet is failed

umar7 — Wed, 08 Feb 2023 13:37:54 GMT

hello @G_W_Albrecht ,

i have created the checkpoint TAC case we are working on it.

Re: first tcp syn packet is failed

the_rock — Wed, 08 Feb 2023 14:05:21 GMT

Hey @umar7 , just wondering, did you put the value in $FWDIR/boot/modules/fwkern.conf file and save, as that makes it permanent even after reboot.

https://sc1.checkpoint.com/documents/R81/WebAdminGuides/EN/CP_R81_CLI_ReferenceGuide/Topics-CLIG/Kernel-Parameters/FireWall-Kernel-Parameters.htm

Re: first tcp syn packet is failed

G_W_Albrecht — Wed, 08 Feb 2023 14:21:29 GMT

I hope he did not do that - the security implications would make this a solution for LAB only...

Re: first tcp syn packet is failed

the_rock — Wed, 08 Feb 2023 14:23:58 GMT

I agree. The only reason I said that is because @umar7 mentioned the setting keeps reverting back, so change I mentioned would make it permanent. The issue should be fixed so packets out of state are indeed dropped, as they should be.