topic Re: Bug or something other in Firewall and Security Management

Bug or something other

babicmilan — Tue, 01 Oct 2024 14:24:10 GMT

Hello, I have a version R81.20 Jumbo Hotfix Take 76 on my gateways in ClusterXL, but when I have upgraded it to a Take 84 (recommended version) I get some issues regarding internet access.

Connection terminated before the Security Gateway was able to make a decision: Insufficient data passed.
To learn more see sk113479.

It seems like issue with policy match.

I have inline layer created for internet access (rule ID: 79). Instead of connections match rule 79.15 they match rule 79.

I didn't find a cause of the problem and I have downgrade to Hotfix Take 76

How to resolve problem?

Re: Bug or something other

PhoneBoy — Tue, 01 Oct 2024 15:50:46 GMT

This error message is considered "normal" and a function of how modern application-aware firewalls operate.
In short:

On first packet, you only know source/destination/service from an IP header perspective.
Additional packets are required to fully classify the traffic (e.g. we need to see HTTP headers or information not available in the first packet).
Assuming there's at least ONE accept rule on the relevant port, traffic will be allowed until the traffic can be properly classified.
If the underlying connection closes before classification occurs, you will see the error you mention.

Again, this is expected behavior and documented in the referenced SK: https://support.checkpoint.com/results/sk/sk113479

The fact you rolled back begs the question: were your users experiencing any actual issues as a result of these errors?

Re: Bug or something other

the_rock — Tue, 01 Oct 2024 23:09:06 GMT

The way I always put it, that sk is literally a long way of saying 3 way handshake is not completing and firewall is not a problem. It simply does not have enough data to classify such a connection, and though you may see the actual drop in the log, thats not technically the case.

Andy

Re: Bug or something other

babicmilan — Wed, 02 Oct 2024 08:08:58 GMT

Look at this pictures. When problem occurs, nobody can access the internet. Policy say that rule 79 is matched (rule 79 is inline layer). It must be matched rule 79.11 to allow access the internet.

I don't know, maybe is something wrong with Gaia OS, I think to reinstall Gaia OS.

Re: Bug or something other

the_rock — Wed, 02 Oct 2024 11:44:02 GMT

Vidio sam slike : - )

Trust me, its NOT the firewall issue mate. Just carefully read the sk itself.

Andy

Re: Bug or something other

PhoneBoy — Wed, 02 Oct 2024 14:40:31 GMT

The action on the log says "Accept."
When you say "nobody can access the Internet" what is the exact behavior? (i.e. what is seen by end users)

In any case, the error message itself isn't necessarily indicative of a problem.
However, if there is an actual issue that can be resolved by uninstalling the relevant JHF, then you'll need to consult with TAC.