topic Is this a Legitimate &quot;fist packet isn't SYN drop&quot;? in Firewall and Security Management https://community.checkpoint.com/t5/Firewall-and-Security-Management/Is-this-a-Legitimate-quot-fist-packet-isn-t-SYN-drop-quot/m-p/99849#M7796 <P>We have this transaction that, in this example, startsat 11:00. At 11.02 the remote server tries to close it sending the FIN but the local server tries to close it only half an hour later (at 11.30). This FIN packet gets retransmitted&nbsp; but no ack is sent by the remote server. At last the local server sends a RST</P><P><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="2020-10-22 15_08_23-poller - 172.20.3.2 - Connessione Desktop remoto.png" style="width: 785px;"><img src="https://community.checkpoint.com/t5/image/serverpage/image-id/8543iA55C1CFC048E1B70/image-dimensions/785x209?v=v2" width="785" height="209" role="button" title="2020-10-22 15_08_23-poller - 172.20.3.2 - Connessione Desktop remoto.png" alt="2020-10-22 15_08_23-poller - 172.20.3.2 - Connessione Desktop remoto.png" /></span></P><P> My problem here is that those Resets (and sometimes some final FIN ACK packet as well) get blocked by our Checkpoint as a "first packet isn't SYN"</P><P>&nbsp;</P><P><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="2020-10-22 15_04_42-poller - 172.20.3.2 - Connessione Desktop remoto.png" style="width: 523px;"><img src="https://community.checkpoint.com/t5/image/serverpage/image-id/8544i58A40926C5FA29BC/image-dimensions/523x426?v=v2" width="523" height="426" role="button" title="2020-10-22 15_04_42-poller - 172.20.3.2 - Connessione Desktop remoto.png" alt="2020-10-22 15_04_42-poller - 172.20.3.2 - Connessione Desktop remoto.png" /></span></P><P>&nbsp;</P><P>Is this legitimate? the tcp session timeout configured for the firewall is 3600. Is this because those packet are past both side FIN packet and the TCP end timeout is set (by default) at 5 seconds?</P><P>thanks&nbsp;&nbsp;</P><P>&nbsp;</P><P>&nbsp;</P> Thu, 22 Oct 2020 14:27:15 GMT Stefano_Cappell 2020-10-22T14:27:15Z Is this a Legitimate "fist packet isn't SYN drop"? https://community.checkpoint.com/t5/Firewall-and-Security-Management/Is-this-a-Legitimate-quot-fist-packet-isn-t-SYN-drop-quot/m-p/99849#M7796 <P>We have this transaction that, in this example, startsat 11:00. At 11.02 the remote server tries to close it sending the FIN but the local server tries to close it only half an hour later (at 11.30). This FIN packet gets retransmitted&nbsp; but no ack is sent by the remote server. At last the local server sends a RST</P><P><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="2020-10-22 15_08_23-poller - 172.20.3.2 - Connessione Desktop remoto.png" style="width: 785px;"><img src="https://community.checkpoint.com/t5/image/serverpage/image-id/8543iA55C1CFC048E1B70/image-dimensions/785x209?v=v2" width="785" height="209" role="button" title="2020-10-22 15_08_23-poller - 172.20.3.2 - Connessione Desktop remoto.png" alt="2020-10-22 15_08_23-poller - 172.20.3.2 - Connessione Desktop remoto.png" /></span></P><P> My problem here is that those Resets (and sometimes some final FIN ACK packet as well) get blocked by our Checkpoint as a "first packet isn't SYN"</P><P>&nbsp;</P><P><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="2020-10-22 15_04_42-poller - 172.20.3.2 - Connessione Desktop remoto.png" style="width: 523px;"><img src="https://community.checkpoint.com/t5/image/serverpage/image-id/8544i58A40926C5FA29BC/image-dimensions/523x426?v=v2" width="523" height="426" role="button" title="2020-10-22 15_04_42-poller - 172.20.3.2 - Connessione Desktop remoto.png" alt="2020-10-22 15_04_42-poller - 172.20.3.2 - Connessione Desktop remoto.png" /></span></P><P>&nbsp;</P><P>Is this legitimate? the tcp session timeout configured for the firewall is 3600. Is this because those packet are past both side FIN packet and the TCP end timeout is set (by default) at 5 seconds?</P><P>thanks&nbsp;&nbsp;</P><P>&nbsp;</P><P>&nbsp;</P> Thu, 22 Oct 2020 14:27:15 GMT https://community.checkpoint.com/t5/Firewall-and-Security-Management/Is-this-a-Legitimate-quot-fist-packet-isn-t-SYN-drop-quot/m-p/99849#M7796 Stefano_Cappell 2020-10-22T14:27:15Z Re: Is this a Legitimate "fist packet isn't SYN drop"? https://community.checkpoint.com/t5/Firewall-and-Security-Management/Is-this-a-Legitimate-quot-fist-packet-isn-t-SYN-drop-quot/m-p/100069#M7810 <P>Seems legit to me, as FIN would start the TCP end timer and remove it from the main connection table.<BR />As such, it would see that FIN packet 28 mins later as a “new” connection, thus you get the message.</P> Sat, 24 Oct 2020 23:27:54 GMT https://community.checkpoint.com/t5/Firewall-and-Security-Management/Is-this-a-Legitimate-quot-fist-packet-isn-t-SYN-drop-quot/m-p/100069#M7810 PhoneBoy 2020-10-24T23:27:54Z