Create a Post
cancel
Showing results for 
Search instead for 
Did you mean: 
Highlighted

Disabling 'out of state' checks between certain hosts

 I've read that it's possible to disabled 'out of state' check between subnets and certain hosts using the use.def.X using something like the example below.

I'm ok with the version of the user.def file I should be using, but my challenge is I have 5 source ip's of which any could be used to communicate with 10 destination ip's. Not sure how to reflect that in the example below.

Any ideas ?

/* Start of INSPECT modification - sk11088 */deffunc user_accept_non_syn() { ((dst = x.x.x.x) and (src = y.y.y.y)) or ((dst = y.y.y.y) and (src = x.x.x.x)) };/* End of INSPECT modification */
17 Replies
Highlighted
Sapphire

I would rather ask myself why TCP is out of state - this is not a healthy status afaik!

Highlighted

It is a pain but in my experience you have to write all the possible combinations ... In your case that is 50 different tuples.

As Gunther said it might be might be better to look into why there are TCP packets out of state, usually it is asymmetric routing but I've seen before very old applications causing this issue (it seemed to be mainly legacy applications directly querying SQL servers).

0 Kudos
Highlighted

Agreed, that is something that is being looked into, but an example of how it might look would be useful.

0 Kudos
Highlighted

In my experience, whether you need to do anything about "TCP out of state" messages depends on the specific TCP flags being reported in the log entry, please see my post here:

https://community.checkpoint.com/message/9300-re-first-packet-isnt-sync?commentID=9300#comment-9300 

--
Second Edition of my "Max Power" Firewall Book
Now Available at http://www.maxpowerfirewalls.com

R80.40 addendum for book "Max Power 2020" now available
for free download at http://www.maxpowerfirewalls.com
0 Kudos
Highlighted
Admin
Admin

While I agree with the other comments, you may be able to also do something like the following (if I remember INSPECT correctly): 

deffunc user_accept_non_syn() { (dst in { a.b.c.d , e.f.g.h }, src in { i.j.k.l, m.n.o.p }) };
Highlighted

Would something like this work or can you only use the 'deffunc' statement once on one line ?

(ip's changed) where 172 is the source communicating with multiple 192's ?

/* Start of INSPECT modification - sk11088 */
deffunc user_accept_non_syn() { (((dst = 192.168.1.1) and (src = 172.16.1.1)) or ((dst = 192.168.1.1) and (src = 172.16.1.1))) and (dport = 1521) };
deffunc user_accept_non_syn() { (((dst = 192.168.1.2) and (src = 172.16.1.1)) or ((dst = 192.168.1.2) and (src = 172.16.1.1))) and (dport = 1521) };
deffunc user_accept_non_syn() { (((dst = 192.168.1.3) and (src = 172.16.1.1)) or ((dst = 192.168.1.3) and (src = 172.16.1.1))) and (dport = 1521) };
deffunc user_accept_non_syn() { (((dst = 192.168.1.4) and (src = 172.16.1.1)) or ((dst = 192.168.1.4) and (src = 172.16.1.1))) and (dport = 1521) };
/* End of INSPECT modification */

#endif /* ifndef __user_def__ */

0 Kudos
Highlighted
Admin
Admin

No because you’re defining the function 4 times.

In my example, I showed you how you can define a list of source IPs and Destination IPs to compare.

You could theoretically add a port to it also. 

Note the comma is treated as an AND.

0 Kudos
Highlighted

Thanks, got it so one line defining both source & destination ip's and that would ignore 'out of state' for any of the ip's in the source/dest below ?

deffunc user_accept_non_syn() { (dst in { 192.168.1.2 , 192.168.1.3, 192.168.1.4, 192.168.1.5,etc... }, src in { 172.16.1.1, 172.16.1.2, 172.16.1.3, 172.16.1.4, 172.16.15  }) };

0 Kudos
Highlighted
Admin
Admin

That looks correct.

That said, my INSPECT knowledge is a little rusty Smiley Happy

0 Kudos
Highlighted
Pearl

Or:

0 Kudos
Highlighted

I tried this initially and it didn't work.

0 Kudos
Highlighted
Pearl

Huh... Dameon Welch-Abernathy‌, can you forward it to the R&D to take a look at.

0 Kudos
Highlighted

We are on R80.10 Management (take 154). The gateway I'm working with is a VS on R77.30 

0 Kudos
Highlighted
Pearl

Perhaps it is a factor, but I am not aware of this limitation.

0 Kudos
Highlighted

I assumed it was a different check as 'out of state' checks can be turned off in global properties, but that's obviously global and not something I want to do globally.

0 Kudos
Highlighted
Pearl

Yeah, you can only narrow the global setting to a particular gateway, not the pair of hosts.

0 Kudos
Highlighted
Admin
Admin

Not sure those exceptions are effective on pre-R80 gateways.

0 Kudos