https://community.checkpoint.com/t5/General-Topics/Seeing-full-3-way-handshake-for-connection-that-should-be/m-p/19219#M3513 <HTML><HEAD></HEAD><BODY><P>What rule is allowing the traffic?</P><P>A screenshot of the rule and the generated log entry (with sensitive info obscured) might be helpful.</P></BODY></HTML> Mon, 24 Dec 2018 17:17:10 GMT PhoneBoy 2018-12-24T17:17:10Z https://community.checkpoint.com/t5/General-Topics/Seeing-full-3-way-handshake-for-connection-that-should-be/m-p/19216#M3510 <HTML><HEAD></HEAD><BODY><P>Hi there,</P><P>We had someone do a port scan and packet capture against our gateways from the internet. The report came back with a bunch of ports "open" for one of our IP addresses.</P><P></P><P>for one of the "open" ports - FTP (tcp 21) the packet capture clearly shows the 3-way TCP handshake completes but the firewall log shows the connection is dropped. The capture desnt show any RST from the gateway. The firewall log shows no traffic actually makes it to the server behind the firewall, but the connecting host sees TCP session establishment.</P><P></P><P></P><P>My question is, is it normal for the gateway to complete the TCP build-up before dropping the connection? I was under the impression first SYN from the connecting host was evaluated against the ruleset.</P></BODY></HTML> Mon, 24 Dec 2018 01:31:32 GMT https://community.checkpoint.com/t5/General-Topics/Seeing-full-3-way-handshake-for-connection-that-should-be/m-p/19216#M3510 Christopher_Bar 2018-12-24T01:31:32Z https://community.checkpoint.com/t5/General-Topics/Seeing-full-3-way-handshake-for-connection-that-should-be/m-p/19217#M3511 <HTML><HEAD></HEAD><BODY><P>Hi,</P><P></P><P>first, when ruleset says „drop“ there will be no RST. The firewall will just kind of ignore the packet.&nbsp;</P><P>For RST you‘d need „Reject“ as action.</P><P></P><P>Maybe, some of these open ports are covered by the implicit rules. Do you have set „log implicit rules“ at the global properties?</P><P></P><P>Regarding the packet capture and 3way handshake we‘d need more information. What blades are on? Maybe someNAT or in place?</P></BODY></HTML> Mon, 24 Dec 2018 08:45:31 GMT https://community.checkpoint.com/t5/General-Topics/Seeing-full-3-way-handshake-for-connection-that-should-be/m-p/19217#M3511 Nüüül 2018-12-24T08:45:31Z https://community.checkpoint.com/t5/General-Topics/Seeing-full-3-way-handshake-for-connection-that-should-be/m-p/19218#M3512 <HTML><HEAD></HEAD><BODY><P>Hi <A href="https://community.checkpoint.com/migrated-users/67370">Christopher Barnes</A>,</P><P></P><P>I think it&nbsp; works a prozesse or daemon on this port for example client authentication.</P><P></P><P>1) Look on this port. It should be port 21 in listen mode on gateway if necessary.</P><P></P><P># netstat -npl |grep 21</P><P></P><P>Now you see the process bound to port 21. Now you can found the <A class="link-titled" href="https://supportcenter.checkpoint.com/supportcenter/portal?eventSubmit_doGoviewsolutiondetails=&amp;solutionid=sk97638&amp;partition=General&amp;product=All%22" title="https://supportcenter.checkpoint.com/supportcenter/portal?eventSubmit_doGoviewsolutiondetails=&amp;solutionid=sk97638&amp;partition=General&amp;product=All%22">Check Point Processes and Daemons</A> in this SK. That should give a clue what triggers the 3-way handshake.</P><P></P><P>2) Could be a UP Policy under R80.10 or R80.20.</P><P></P><P>3) Check which blades are on.</P><P></P><P>Regards</P><P>Heiko</P></BODY></HTML> Mon, 24 Dec 2018 11:21:03 GMT https://community.checkpoint.com/t5/General-Topics/Seeing-full-3-way-handshake-for-connection-that-should-be/m-p/19218#M3512 HeikoAnkenbrand 2018-12-24T11:21:03Z https://community.checkpoint.com/t5/General-Topics/Seeing-full-3-way-handshake-for-connection-that-should-be/m-p/19219#M3513 <HTML><HEAD></HEAD><BODY><P>What rule is allowing the traffic?</P><P>A screenshot of the rule and the generated log entry (with sensitive info obscured) might be helpful.</P></BODY></HTML> Mon, 24 Dec 2018 17:17:10 GMT https://community.checkpoint.com/t5/General-Topics/Seeing-full-3-way-handshake-for-connection-that-should-be/m-p/19219#M3513 PhoneBoy 2018-12-24T17:17:10Z https://community.checkpoint.com/t5/General-Topics/Seeing-full-3-way-handshake-for-connection-that-should-be/m-p/19220#M3514 <HTML><HEAD></HEAD><BODY><P>Is the Protocol Signature checkbox set on the FTP service as shown?&nbsp; If so read the warning below:</P><P></P><P><IMG alt="" class="image-1 jive-image j-img-original" src="https://community.checkpoint.com/legacyfs/online/checkpoint/76574_ftp_sig.jpg" /></P><P></P><P>--</P><P>CheckMates Break Out Sessions Speaker</P><P>CPX 2019 Las Vegas &amp; Vienna - Tuesday@13:30</P></BODY></HTML> Mon, 24 Dec 2018 22:02:59 GMT https://community.checkpoint.com/t5/General-Topics/Seeing-full-3-way-handshake-for-connection-that-should-be/m-p/19220#M3514 Timothy_Hall 2018-12-24T22:02:59Z https://community.checkpoint.com/t5/General-Topics/Seeing-full-3-way-handshake-for-connection-that-should-be/m-p/19221#M3515 <HTML><HEAD></HEAD><BODY><P>Right, if protocol signature is enabled, it will complete the handshake and look for the protocol signature in the subsequent data packets to complete the rulebase matching.&nbsp;</P></BODY></HTML> Thu, 27 Dec 2018 17:15:42 GMT https://community.checkpoint.com/t5/General-Topics/Seeing-full-3-way-handshake-for-connection-that-should-be/m-p/19221#M3515 Kishin_Fatnani 2018-12-27T17:15:42Z