Create a Post
cancel
Showing results for 
Search instead for 
Did you mean: 
HeikoAnkenbrand
Champion
Champion

Disable Stateful Inspection

I had the emergency during an upgrade that I had to disable "Stateful Inspection" for TCP connetions (for a short time).
If you only want to turn this off for a short time, the best way to do this is on the gateways on the fly.

Attention:
If you do this, it can have a problematic security effect on the gateways.

Here are the three solutions:

1) Via SmartConsole --> more read here sk117374
     OutOfState.PNG


2) or on the Management Server via INSPECT code
     Add the folowing lines to the user.def and install the policy --> more read here: sk11088
     

     //
     // User defined INSPECT code
     //

     /* Start of INSPECT modification - sk11088 */
     net1={ <0.0.0.1, 239.255.255.255> };
     deffunc user_accept_non_syn() {((src in net1) or (dst in net1)) };

      /* End of INSPECT modification */

     #endif /* ifndef IPV6_FLAVOR */
     #endif /* ifndef __user_def__ */

3) or on the Gateway on the fly --> more read here sk117374

       expert mode#   fw ctl set int fw_allow_out_of_state_tcp 1

 

Attention:
Never ever forget to turn it back on.
(Thanks @_Val_, good comment from you.)




    
    
    

6 Replies
_Val_
Admin
Admin

I miss big red disclamer at the end of this article saying:

Never ever forget to turn it back on

HeikoAnkenbrand
Champion
Champion

I still write that in the article 🙂

nevillekuo
Ambassador
Ambassador

Some of my customer turned it off for some reason even if only 1 internet connection(They just see so many out of state drop), if we still enabled all threat prevention functions what's the drawback if tcp syn check is turned off?

0 Kudos
_Val_
Admin
Admin

Out of state drops usually indicate a routing issue and should not be just ignored. Disabling stateful is a severe security degradation.

nevillekuo
Ambassador
Ambassador

I understand, but it's hard to explain why encountered routing issue when only 1 internet connection, not just 2 or 3 customers, it's many, maybe we should consider sk11088 as a best solution for this.

_Val_
Admin
Admin

I disagree. You should override stateful ONLY if you investigated the situation properly and proved it is an application that is not respecting the TCP state. This is what sk11088 is about.