https://community.checkpoint.com/t5/General-Topics/Same-source-and-destination-GW-only-Invalid-TCP-flag-combination/m-p/184787#M30789 <P>This is part of the "Packet Sanity" protection in the "Inspection Settings" which are part of the Access Control policy and not Threat Prevention.</P> <P>My initial take was that this is some kind of interprocess communication on the firewall using ephemeral ports that should have used the loopback/127.0.0.1 interface but used its own Mgmt interface instead.&nbsp; The protection presumably doesn't like that the TCP flags PSH and URG are set but there is no ACK flag set.&nbsp; It is not clear to me if this packet was originated by the firewall itself, or is some kind of spoofed packet coming in from the network.&nbsp; Perhaps others can chime in.</P> Mon, 26 Jun 2023 12:46:21 GMT Timothy_Hall 2023-06-26T12:46:21Z https://community.checkpoint.com/t5/General-Topics/Same-source-and-destination-GW-only-Invalid-TCP-flag-combination/m-p/184723#M30771 <P>Dear Team,</P><P>Query 1: is this a default protection (Part of the access control policy) ?</P><P>Query 2: Why does GW send traffic to its own using Mgmt Port?</P><P>Query 3: What is the impact ?</P><P>Attack Name: Mailformed Packet<BR />Attack Information: Invalid TCP flag combination<BR />Protection Type: Protocol Animaly<BR />Performance Impact: Very Low<BR />Confidence Level: High<BR />Severity:Medium<BR />Industry reference: CAN-2002-1071<BR />tcp_flags:PUSH-URG<BR />Interface: Mgmt<BR />interface Direction: Inbound<BR />SRC IP: GW (10.10.10.2)<BR />DST IP:GW (10.10.10.2)<BR />Service: TCP/46039 (Destination Port)<BR />Protocol: TCP (6) (6)<BR />Threat Profile: No_protection_503******<BR />Action: Detect</P><DIV class="">&nbsp;</DIV><P><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="CP_FW_to_FW.jpeg" style="width: 999px;"><img src="https://community.checkpoint.com/t5/image/serverpage/image-id/21522iB5446A8C57EBFBEA/image-size/large?v=v2&amp;px=999" role="button" title="CP_FW_to_FW.jpeg" alt="CP_FW_to_FW.jpeg" /></span></P><P>&nbsp;</P><P>&nbsp;</P><P>&nbsp;</P><P>&nbsp;</P> Sun, 25 Jun 2023 16:37:26 GMT https://community.checkpoint.com/t5/General-Topics/Same-source-and-destination-GW-only-Invalid-TCP-flag-combination/m-p/184723#M30771 Chinmaya_Naik 2023-06-25T16:37:26Z https://community.checkpoint.com/t5/General-Topics/Same-source-and-destination-GW-only-Invalid-TCP-flag-combination/m-p/184780#M30786 <P>DearCheckmates Team,</P><P>Please help me to clarify .</P><P><a href="https://community.checkpoint.com/t5/user/viewprofilepage/user-id/25509">@Chinmaya_Naik</a>&nbsp;</P> Mon, 26 Jun 2023 12:16:23 GMT https://community.checkpoint.com/t5/General-Topics/Same-source-and-destination-GW-only-Invalid-TCP-flag-combination/m-p/184780#M30786 Chinmaya_Naik 2023-06-26T12:16:23Z https://community.checkpoint.com/t5/General-Topics/Same-source-and-destination-GW-only-Invalid-TCP-flag-combination/m-p/184787#M30789 <P>This is part of the "Packet Sanity" protection in the "Inspection Settings" which are part of the Access Control policy and not Threat Prevention.</P> <P>My initial take was that this is some kind of interprocess communication on the firewall using ephemeral ports that should have used the loopback/127.0.0.1 interface but used its own Mgmt interface instead.&nbsp; The protection presumably doesn't like that the TCP flags PSH and URG are set but there is no ACK flag set.&nbsp; It is not clear to me if this packet was originated by the firewall itself, or is some kind of spoofed packet coming in from the network.&nbsp; Perhaps others can chime in.</P> Mon, 26 Jun 2023 12:46:21 GMT https://community.checkpoint.com/t5/General-Topics/Same-source-and-destination-GW-only-Invalid-TCP-flag-combination/m-p/184787#M30789 Timothy_Hall 2023-06-26T12:46:21Z https://community.checkpoint.com/t5/General-Topics/Same-source-and-destination-GW-only-Invalid-TCP-flag-combination/m-p/184834#M30796 <P>I have seen these packets when a host tries to connect to the same hide NAT address that it is being hide NATted behind. I think it was iPhones trying to connect to each other when I saw it "in the wild."&nbsp; &nbsp;You may be able to hunt down the original request by matching the destination port with the original post nat source port. *this is assuming you are hide NATting traffic behind your gateway's IP address</P> Mon, 26 Jun 2023 17:58:46 GMT https://community.checkpoint.com/t5/General-Topics/Same-source-and-destination-GW-only-Invalid-TCP-flag-combination/m-p/184834#M30796 Lloyd_Braun 2023-06-26T17:58:46Z https://community.checkpoint.com/t5/General-Topics/Same-source-and-destination-GW-only-Invalid-TCP-flag-combination/m-p/185260#M30887 <P><a href="https://community.checkpoint.com/t5/user/viewprofilepage/user-id/8834">@Lloyd_Braun</a>&nbsp;</P><P>Thanks for the update.</P><P>Please clarify more on this.</P><P>As per the logs, Gateway is the source and destination also.</P><P><SPAN>Service: TCP/46039 (Destination Port) which is not a registered port.&nbsp;</SPAN></P><P><SPAN>As per&nbsp;<a href="https://community.checkpoint.com/t5/user/viewprofilepage/user-id/597">@Timothy_Hall</a>&nbsp;Sir it's using the Mgmt port which is a question.</SPAN></P><P><SPAN>I ran the&nbsp; TCPDUMP with that PORT but no traffic.</SPAN></P><P><SPAN>Looks like it's one time log generated a few days back.</SPAN></P><P><SPAN><a href="https://community.checkpoint.com/t5/user/viewprofilepage/user-id/25509">@Chinmaya_Naik</a>&nbsp;</SPAN></P> Fri, 30 Jun 2023 06:16:11 GMT https://community.checkpoint.com/t5/General-Topics/Same-source-and-destination-GW-only-Invalid-TCP-flag-combination/m-p/185260#M30887 Chinmaya_Naik 2023-06-30T06:16:11Z