https://community.checkpoint.com/t5/General-Topics/Fragmented-packet-with-IPS-R80-10/m-p/53561#M10694 <P>If fragmented packets reach a firewall with activated IPS they get buffered.<BR />This also increases the cpu load.<BR />If the limit of the buffer is reached, new received packets get dropped.</P><P>How can we check, if packets get dropped because of this problem?<BR />Are any statistics available to check, if packets had been dropped before?<BR />How can we check the buffer size that is configured?<BR />Which parameters can be changed to increase the buffer size ?</P> Thu, 16 May 2019 05:23:37 GMT Dipayan_Nayak 2019-05-16T05:23:37Z https://community.checkpoint.com/t5/General-Topics/Fragmented-packet-with-IPS-R80-10/m-p/53561#M10694 <P>If fragmented packets reach a firewall with activated IPS they get buffered.<BR />This also increases the cpu load.<BR />If the limit of the buffer is reached, new received packets get dropped.</P><P>How can we check, if packets get dropped because of this problem?<BR />Are any statistics available to check, if packets had been dropped before?<BR />How can we check the buffer size that is configured?<BR />Which parameters can be changed to increase the buffer size ?</P> Thu, 16 May 2019 05:23:37 GMT https://community.checkpoint.com/t5/General-Topics/Fragmented-packet-with-IPS-R80-10/m-p/53561#M10694 Dipayan_Nayak 2019-05-16T05:23:37Z https://community.checkpoint.com/t5/General-Topics/Fragmented-packet-with-IPS-R80-10/m-p/53595#M10706 <P>If the Inspection Setting/IPS Protection is configured to "log" you should see current and past drops in smartlog. I think "IP Fragments" in Security Policy -&gt; Inspection Settings should be the right place to configure this. You can also change the buffer size there. "fw ctl pstat" in expert mode gives you statistics about fragments, as does "netstat -s".</P> Thu, 16 May 2019 11:13:48 GMT https://community.checkpoint.com/t5/General-Topics/Fragmented-packet-with-IPS-R80-10/m-p/53595#M10706 Benedikt_Weissl 2019-05-16T11:13:48Z https://community.checkpoint.com/t5/General-Topics/Fragmented-packet-with-IPS-R80-10/m-p/53603#M10711 <P>Check Point firewalls perform virtual defragmentation of IP packets, on R80.10 gateway and earlier the virtual defragmentation must occur in the Firewall/F2F path. In R80.20 and later fragmented packets are eligible for some acceleration by SecureXL.&nbsp; In R80.10 and later virtual defragmentation is part of the Inspection Settings (IP Fragments) in the Access Control policy, so the IPS blade does not need to be enabled for this function to occur.</P> <P>When the first frag is received, it is buffered until all fragments of the original packet have arrived.&nbsp; The firewall will wait up to 1 second by default (tunable in the IP Fragments Inspection Settings) for all fragments to arrive, if they don't all make it in time all the buffered fragments are discarded and a "Virtual defragmentation error: Timeout, Failed to generate IP packet from fragments" error message is written to the log, and the Fragments...expired counter shown in the <STRONG>fw ctl pstat</STRONG> output is incremented. You can also see the "pkt is a fragment" counter get incremented by SecureXL in the output of <STRONG>fwaccel stats -p</STRONG>.</P> <P>Once it has all the fragments the firewall virtually reassembles the original packet and inspects it.&nbsp; Assuming it passes inspection and is not dropped for some reason, the original fragments are then sent on their way.&nbsp; If you are concerned about the CPU and logging overhead caused by the handling of fragments you can simply forbid them, <EM><STRONG>but please read all of the following from my book before doing so and make sure you understand the ramifications of what you are doing</STRONG></EM>:</P> <P>&nbsp;</P> <LI-SPOILER> <P>If the fragment numbers seem high, run this tcpdump command to see all fragmented<BR />packets and figure out where they are coming from:</P> <P><STRONG>tcpdump -eni any '((ip[6:2] &gt; 0) and (not ip[6] = 64))'</STRONG></P> <P><BR />Any traffic appearing in this output is fragmented; notice that the -e option will also<BR />show you the source MAC address of the entity that sent the fragmented packet to the<BR />firewall, in order to help you trace the fragmented packet back to its origin. The only<BR />way to correct this situation is to ensure a consistent MTU value is in use throughout<BR />your internal and DMZ networks. In the real world when a large amount of internal<BR />traffic is improperly fragmented, it is usually due a misconfigured MTU on a router<BR />somewhere. I’ve seen correcting an internal MTU issue such as this make a huge<BR />difference in firewall performance. Of course there are situations where low MTUs are<BR />legitimately present due to legacy private network connections to partners or vendors (i.e.<BR />56Kbps lines, dialup lines &amp; ISDN).</P> <P><BR />If you are concerned about fragments impacting the performance of the firewall, it is<BR />possible to forbid IP fragments from crossing the firewall at all.</P> <P><BR /><EM><STRONG>WARNING:If a large portion of your network’s legitimate production traffic is fragmented,</STRONG></EM><BR /><EM><STRONG>forbidding fragments on the firewall will cause a massive outage. Run the tcpdump</STRONG></EM><BR /><EM><STRONG>command mentioned earlier and MAKE SURE that you don’t have legitimate production</STRONG></EM><BR /><EM><STRONG>traffic in your network that is fragmented before you decide to try forbidding IP</STRONG></EM><BR /><EM><STRONG>fragments!</STRONG></EM></P> <P><BR />Fragments can be disabled in the R77.30 SmartDashboard under the IPS<BR />tab...Protections...IP Fragments...(IPS Profile in use by your firewall)...Forbid IP<BR />Fragments checkbox. In R80+ management the setting is located under “Inspection<BR />Settings”.</P> </LI-SPOILER> <P>&nbsp;</P> <P>&nbsp;</P> Thu, 16 May 2019 12:46:02 GMT https://community.checkpoint.com/t5/General-Topics/Fragmented-packet-with-IPS-R80-10/m-p/53603#M10711 Timothy_Hall 2019-05-16T12:46:02Z