cancel
Showing results for 
Search instead for 
Did you mean: 
Create a Post

Disabling 'out of state' checks between certain hosts

 I've read that it's possible to disabled 'out of state' check between subnets and certain hosts using the use.def.X using something like the example below.

I'm ok with the version of the user.def file I should be using, but my challenge is I have 5 source ip's of which any could be used to communicate with 10 destination ip's. Not sure how to reflect that in the example below.

Any ideas ?

/* Start of INSPECT modification - sk11088 */deffunc user_accept_non_syn() { ((dst = x.x.x.x) and (src = y.y.y.y)) or ((dst = y.y.y.y) and (src = x.x.x.x)) };/* End of INSPECT modification */
17 Replies

Re: Disabling 'out of state' checks between certain hosts

I would rather ask myself why TCP is out of state - this is not a healthy status afaik!

Re: Disabling 'out of state' checks between certain hosts

It is a pain but in my experience you have to write all the possible combinations ... In your case that is 50 different tuples.

As Gunther said it might be might be better to look into why there are TCP packets out of state, usually it is asymmetric routing but I've seen before very old applications causing this issue (it seemed to be mainly legacy applications directly querying SQL servers).

0 Kudos

Re: Disabling 'out of state' checks between certain hosts

Agreed, that is something that is being looked into, but an example of how it might look would be useful.

0 Kudos

Re: Disabling 'out of state' checks between certain hosts

In my experience, whether you need to do anything about "TCP out of state" messages depends on the specific TCP flags being reported in the log entry, please see my post here:

https://community.checkpoint.com/message/9300-re-first-packet-isnt-sync?commentID=9300#comment-9300 

--
Second Edition of my "Max Power" Firewall Book
Now Available at http://www.maxpowerfirewalls.com

"IPS Immersion Training" Self-paced Video Class
Now Available at http://www.maxpowerfirewalls.com
0 Kudos
Admin
Admin

Re: Disabling 'out of state' checks between certain hosts

While I agree with the other comments, you may be able to also do something like the following (if I remember INSPECT correctly): 

deffunc user_accept_non_syn() { (dst in { a.b.c.d , e.f.g.h }, src in { i.j.k.l, m.n.o.p }) };

Re: Disabling 'out of state' checks between certain hosts

Would something like this work or can you only use the 'deffunc' statement once on one line ?

(ip's changed) where 172 is the source communicating with multiple 192's ?

/* Start of INSPECT modification - sk11088 */
deffunc user_accept_non_syn() { (((dst = 192.168.1.1) and (src = 172.16.1.1)) or ((dst = 192.168.1.1) and (src = 172.16.1.1))) and (dport = 1521) };
deffunc user_accept_non_syn() { (((dst = 192.168.1.2) and (src = 172.16.1.1)) or ((dst = 192.168.1.2) and (src = 172.16.1.1))) and (dport = 1521) };
deffunc user_accept_non_syn() { (((dst = 192.168.1.3) and (src = 172.16.1.1)) or ((dst = 192.168.1.3) and (src = 172.16.1.1))) and (dport = 1521) };
deffunc user_accept_non_syn() { (((dst = 192.168.1.4) and (src = 172.16.1.1)) or ((dst = 192.168.1.4) and (src = 172.16.1.1))) and (dport = 1521) };
/* End of INSPECT modification */

#endif /* ifndef __user_def__ */

0 Kudos
Highlighted
Admin
Admin

Re: Disabling 'out of state' checks between certain hosts

No because you’re defining the function 4 times.

In my example, I showed you how you can define a list of source IPs and Destination IPs to compare.

You could theoretically add a port to it also. 

Note the comma is treated as an AND.

0 Kudos

Re: Disabling 'out of state' checks between certain hosts

Thanks, got it so one line defining both source & destination ip's and that would ignore 'out of state' for any of the ip's in the source/dest below ?

deffunc user_accept_non_syn() { (dst in { 192.168.1.2 , 192.168.1.3, 192.168.1.4, 192.168.1.5,etc... }, src in { 172.16.1.1, 172.16.1.2, 172.16.1.3, 172.16.1.4, 172.16.15  }) };

0 Kudos
Admin
Admin

Re: Disabling 'out of state' checks between certain hosts

That looks correct.

That said, my INSPECT knowledge is a little rusty Smiley Happy

0 Kudos
Vladimir
Pearl

Re: Disabling 'out of state' checks between certain hosts

Or:

0 Kudos

Re: Disabling 'out of state' checks between certain hosts

I tried this initially and it didn't work.

0 Kudos
Vladimir
Pearl

Re: Disabling 'out of state' checks between certain hosts

Huh... Dameon Welch-Abernathy‌, can you forward it to the R&D to take a look at.

0 Kudos

Re: Disabling 'out of state' checks between certain hosts

We are on R80.10 Management (take 154). The gateway I'm working with is a VS on R77.30 

0 Kudos
Vladimir
Pearl

Re: Disabling 'out of state' checks between certain hosts

Perhaps it is a factor, but I am not aware of this limitation.

0 Kudos

Re: Disabling 'out of state' checks between certain hosts

I assumed it was a different check as 'out of state' checks can be turned off in global properties, but that's obviously global and not something I want to do globally.

0 Kudos
Vladimir
Pearl

Re: Disabling 'out of state' checks between certain hosts

Yeah, you can only narrow the global setting to a particular gateway, not the pair of hosts.

0 Kudos
Admin
Admin

Re: Disabling 'out of state' checks between certain hosts

Not sure those exceptions are effective on pre-R80 gateways.

0 Kudos