topic Re: Stateful Inspection on Gateways in General Topics

Stateful Inspection on Gateways

Di_Junior — Tue, 11 Sep 2018 08:21:21 GMT

Dear Mates,

I need your help with regards to an issue that we faced in our environment.

I have replaced a former administrator in the company, and in the day he left, some of the critical services in the company stopped working. The first thing I did was to go to the Management Tab in the SmartView Tracker and check all the changes that was made on the day the problem started.

I found many changes, and one of the them was ralated to UDP stateful inspection. He swicthed off this firewall property in the global configuration mode. Since the service that was impacted uses UDP ports 2123, and 2152, this service was having problems and our clients were not able to establish connection.

Once we switched back on the UDP statefull inspection in the global configuration, everything started working just fine.

I now need a a technical explanation to present to the Management as to how unchecking UDP Statefull inspection caused the issue. That is why I wish to ask if you can share more information about Statefull Inspection, or refer me to a documentation that I can read.

Thanks in advance.

Re: Stateful Inspection on Gateways

G_W_Albrecht — Tue, 11 Sep 2018 08:36:13 GMT

There is sk103084 How to configure the Security Gateway to drop Out of State UDP packets and sk102491 How to configure the Security Gateway to drop Out of State TCP packets - but this is not statefull inspection, but to drop out-of-state packets...

Re: Stateful Inspection on Gateways

Jerry — Tue, 11 Sep 2018 08:49:19 GMT

so you really in essense asking what does it mean "Check Point Firewall" to be frank.

stateful inspection whether UDP or TCP is part of the essense of the FW1 since 25y rerally.

reading about the Stateful Inspection and DPI enginering is like reading about history of CP Firewall architecture.

I think above sk's should help but I believe more or less explanatory as to what the SPI to the UDP/TCP in either drop-out-of-sate etc. is all "googleble" if you know what I mean.

Re: Stateful Inspection on Gateways

Di_Junior — Tue, 11 Sep 2018 08:54:18 GMT

Hi Jerry Szpinak‌, yes it is googleble, but this situation is going to court, so I need as much information as possible from trusted source. But thanks Anyways

Re: Stateful Inspection on Gateways

Laxi_D — Fri, 21 Jun 2019 09:13:57 GMT

you switched on UDP stateful inspection means you enabled ( check the box) Accept stateful UDP replies for unknown services in global properties?

More info firewall packet flow

https://community.checkpoint.com/docs/DOC-3061-security-gateway-packet-flow-and-acceleration-with-diagrams

Re: Stateful Inspection on Gateways

Jerry — Tue, 11 Sep 2018 08:59:21 GMT

ah ok, I didn't know that it is about that serious, my apologize for a vague response then.

with regards to the official docs - please stick the the CP sk's as they'are vendor-specific well crafted documentation uses by the whole community and highly recognized within the network security landscape - if I were you and I was about to support the court-case I would definitely use the sk's mentioned earlier as a starting point.

when needed you can always use the wikipedia and cpug to support theoretical architecture of the SPI/DPI etc.

hope it helps and ... my 5 cents "poor ex-employee" I wish him good luck

Re: Stateful Inspection on Gateways

G_W_Albrecht — Tue, 11 Sep 2018 09:29:24 GMT

Under these circumstances i would involve TAC to get a deep technical explanation of the background of these settings and the issues caused !

Re: Stateful Inspection on Gateways

PhoneBoy — Tue, 11 Sep 2018 14:33:16 GMT

It would be better if you posted a screenshot of exactly the option(s) changed.

From there we can refer you to the correct documentation.

Further, if there are (potential) court cases involved, please ensure you are gathering evidence under the guidance of legal council.

There are rules related to digital evidence that must be followed if it is to be admissible in court.

Re: Stateful Inspection on Gateways

Di_Junior — Tue, 11 Sep 2018 14:44:31 GMT

Thanks. I guess that is what I am going to do.

Re: Stateful Inspection on Gateways

Di_Junior — Tue, 11 Sep 2018 15:35:29 GMT

Here is the picture, the circled options were unchecked.

Re: Stateful Inspection on Gateways

PhoneBoy — Tue, 11 Sep 2018 16:51:55 GMT

If you click on the question mark in the upper right corner of this screen, you will see the online help that describes these options.

They are also described in the product documentation and SK.

Note that these are the default settings for the circled options, so it's clear they were adjusted by someone else.

The following are my explanations of how these features work and should not be construed as "official documentation."

Unlike TCP, which tracks connection state as part of the protocol, UDP does not.

If Accept Stateful UDP Replies for Unknown Services is ticked (or the "Accept replies" option in the service definition) the way we determine if a UDP packet is part of a valid session is if we see a response to it.

A response would depend on how the outgoing request is constructed.

Assume that I am host A talking to host B on UDP port X.

Host A would initiate that connection from source port Y via UDP to Host B to destination port X.

If Host B responds with a packet from source port X to Host A on destination port Y, then a "virtual session" is established.

Packets that come from Host A on source port Y Host B to destination port X and from Host B on source port X to host A will continue to be allowed until no packets are seen on this "session" for the UDP virtual session timeout.

Then the session will be closed.

Drop Out Of State TCP packets will drop TCP packets that appear to be unrelated to a connection seen by the Security Gateway.

For the gateway to consider a connection "seen" it must observe the three-way handshake that occurs when the TCP connection is established.

The initial SYN packet would be checked against the Access Policy.

Once the connection is established, the connection is tracked until it closes or the connection "times out" (no packets on the connection seen for the TCP timeout).

ICMP, similar to UDP, doesn't really have "state" associated with it.

That said, based on traffic that is permitted, you can infer what would be expected in terms of an ICMP response.

Provided such packets are sent within the ICMP virtual session timeout, they are permitted.

For example, if I permit an ICMP Echo Request (ping) through the gateway, you might expect to see an ICMP Echo Reply or ICMP Host/Network Unreachable message as a response.

An ICMP Host Unreachable or TTL Time Expired might be expected if I'm doing a traceroute somewhere.

This is not an exhaustive list, but it gives you an idea of what this option is intended for.

Re: Stateful Inspection on Gateways

Di_Junior — Tue, 11 Sep 2018 17:37:16 GMT

"Note that these are the default settings for the circled options, so it's clear they were adjusted by someone else."

Yes, I found the logs in smartView tracker in the Management Tab.

Thank you Dameon Welch Abernathy‌ you save me big time. Much appreciated.