topic Re: Packets get drop in Firewall and Security Management

Packets get drop

Prashan_Attanay — Wed, 18 Oct 2017 07:41:43 GMT

what is the reason for happen this ?

;[cpu_2];[fw4_1];fw_log_drop_ex: Packet proto=6 x.x.x.x:30730 -> 10.2.200.50:80 dropped by fw_first_packet_state_checks Reason: First packet isn't SYN;
;[cpu_1];[fw4_2];fw_log_drop_ex: Packet proto=6 x.x.x.x:30731 -> 10.2.200.50:80 dropped by fw_first_packet_state_checks Reason: First packet isn't SYN;
;[cpu_1];[fw4_2];fw_log_drop_ex: Packet proto=6 y.y.y.y:37020 -> 10.2.200.50:80 dropped by fw_first_packet_state_checks Reason: First packet isn't SYN;
;[cpu_3];[fw4_0];fw_log_drop_ex: Packet proto=6 y.y.y.y:37021 -> 10.2.200.50:80 dropped by fw_first_packet_state_checks Reason: First packet isn't SYN;

Re: Packets get drop

KennyManrique — Wed, 18 Oct 2017 21:55:22 GMT

Stateful Inspection checks.

It means the first packet of a TCP session (proto=6) traversing the firewall isn't the syncronization packet (first of the three way handshake of TCP) so because of this, the firewall drops the packet.

By default, Check Point Firewall is configured to drop out of state TCP Packets (Global Properties -> Stateful Inspection->Drop Out of state TCP Packets is checked)

You can completely disable the TCP out of state drops:

By unchecking the option on Stateful Inspection and installing policy
By adding an exception to Drop out of state TCP on Stateful Inspection and selecting the Firewall (also requires install policy).
Executing the following command on the gateway in expert mode to disable on the fly: "fw ctl set int fw_allow_out_of_state_tcp 1" (Does not survive a reboot) .

You can follow this sk as workaround for allowing out of state packets to some traffic only: SmartView Tracker shows multiple logs for dropped 'TCP out of state' packets with various TCP flags

Regards

Re: Packets get drop

Prashan_Attanay — Fri, 20 Oct 2017 20:14:12 GMT

Thank you for your explanation

Re: Packets get drop

Sven_Glock — Fri, 03 Aug 2018 16:59:44 GMT

Is it possible that "2." is not supported for vsx in R80.10?

Re: Packets get drop

PhoneBoy — Fri, 03 Aug 2018 17:20:26 GMT

Not as far as I know.

What makes you think it isn't?

Re: Packets get drop

Sven_Glock — Fri, 03 Aug 2018 17:26:28 GMT

I tried it in an environment where only virtual systems are available.

Here I am not able to select a gateway when adding a new gateway to TCP Out of state exceptions...

Re: Packets get drop

PhoneBoy — Fri, 03 Aug 2018 17:38:33 GMT

Oh, you're talking about exceptions, which, true, might not be supported on a VS.

Re: Packets get drop

Sven_Glock — Sun, 05 Aug 2018 07:10:10 GMT

Good to know, thanks Dameon!

Is there an other way to disable stateful inspection on a single virtual system?

1. would impact other policies and 3. seems not to work with virtual systems, too.

Re: Packets get drop

PhoneBoy — Tue, 14 Aug 2018 02:26:22 GMT

You'll need to contact the TAC to see if you can get a hotfix for the following: Option to allow out of state packets per VS

Re: Packets get drop

Sven_Glock — Tue, 14 Aug 2018 05:27:35 GMT

Hey Dameon,

thanks for this advice.

I will check this out and keep you posted.

Thanks

Sven