topic Re: Disable Stateful Inspection in General Topics

Disable Stateful Inspection

HeikoAnkenbrand — Tue, 01 Jun 2021 18:04:34 GMT

I had the emergency during an upgrade that I had to disable "Stateful Inspection" for TCP connetions (for a short time).
If you only want to turn this off for a short time, the best way to do this is on the gateways on the fly.

Attention:
If you do this, it can have a problematic security effect on the gateways.

Here are the three solutions:

1) Via SmartConsole --> more read here sk117374

2) or on the Management Server via INSPECT code
Add the folowing lines to the user.def and install the policy --> more read here: sk11088

     //
     // User defined INSPECT code
     //

     /* Start of INSPECT modification - sk11088 */
     net1={ <0.0.0.1, 239.255.255.255> };
     deffunc user_accept_non_syn() {((src in net1) or (dst in net1)) };

/* End of INSPECT modification */

#endif /* ifndef IPV6_FLAVOR */
#endif /* ifndef __user_def__ */

3) or on the Gateway on the fly --> more read here sk117374

expert mode# fw ctl set int fw_allow_out_of_state_tcp 1

Attention:
Never ever forget to turn it back on.
(Thanks @_Val_, good comment from you.)

Re: Disable Stateful Inspection

_Val_ — Tue, 01 Jun 2021 17:54:18 GMT

I miss big red disclamer at the end of this article saying:

Never ever forget to turn it back on

Re: Disable Stateful Inspection

HeikoAnkenbrand — Tue, 01 Jun 2021 17:59:41 GMT

I still write that in the article 🙂

Re: Disable Stateful Inspection

nevillekuo — Fri, 04 Jun 2021 05:31:46 GMT

Some of my customer turned it off for some reason even if only 1 internet connection(They just see so many out of state drop), if we still enabled all threat prevention functions what's the drawback if tcp syn check is turned off?

Re: Disable Stateful Inspection

_Val_ — Wed, 09 Jun 2021 07:45:42 GMT

Out of state drops usually indicate a routing issue and should not be just ignored. Disabling stateful is a severe security degradation.

Re: Disable Stateful Inspection

nevillekuo — Wed, 09 Jun 2021 07:52:27 GMT

I understand, but it's hard to explain why encountered routing issue when only 1 internet connection, not just 2 or 3 customers, it's many, maybe we should consider sk11088 as a best solution for this.

Re: Disable Stateful Inspection

_Val_ — Wed, 09 Jun 2021 07:54:37 GMT

I disagree. You should override stateful ONLY if you investigated the situation properly and proved it is an application that is not respecting the TCP state. This is what sk11088 is about.

Re: Disable Stateful Inspection

r1der — Mon, 12 Dec 2022 23:51:41 GMT

Is it possible to do this just for a certain destination and not the entire gateway?
I'm reading multiple threads about the First packet isn't SYN. The TCP Flag is FIN-ACK (log card from Client --> Server).
I'm not able to determine if these drops I am seeing are causing the issue, we're seeing with timing out on a website.

We've already reached out to application support, who suggest taking a look at our firewall.

Thanks,

Re: Disable Stateful Inspection

Chris_Atkinson — Tue, 13 Dec 2022 00:12:18 GMT

sk11088 describes that very procedure (example above).

Re: Disable Stateful Inspection

Jim_Holmes — Tue, 13 Dec 2022 21:50:45 GMT

There is a good chance it is not causing a noticeable problem. It is likely to be a scan if it is on an external interface. On an internal interface, it tends to point to a network problem (interface speed/duplex not matching is still what I see the most.) Of course, TAC is your best bet, but have the network folks in on it. It's a firewall problem until they find out a mouse ate the cable.