Create a Post
cancel
Showing results for 
Search instead for 
Did you mean: 
HeikoAnkenbrand
Champion Champion
Champion
Jump to solution

Disable Stateful Inspection

I had the emergency during an upgrade that I had to disable "Stateful Inspection" for TCP connetions (for a short time).
If you only want to turn this off for a short time, the best way to do this is on the gateways on the fly.

Attention:
If you do this, it can have a problematic security effect on the gateways.

Here are the three solutions:

1) Via SmartConsole --> more read here sk117374
     OutOfState.PNG


2) or on the Management Server via INSPECT code
     Add the folowing lines to the user.def and install the policy --> more read here: sk11088
     

     //
     // User defined INSPECT code
     //

     /* Start of INSPECT modification - sk11088 */
     net1={ <0.0.0.1, 239.255.255.255> };
     deffunc user_accept_non_syn() {((src in net1) or (dst in net1)) };

      /* End of INSPECT modification */

     #endif /* ifndef IPV6_FLAVOR */
     #endif /* ifndef __user_def__ */

3) or on the Gateway on the fly --> more read here sk117374

       expert mode#   fw ctl set int fw_allow_out_of_state_tcp 1

 

Attention:
Never ever forget to turn it back on.
(Thanks @_Val_, good comment from you.)




    
    
    

➜ CCSM Elite, CCME, CCTE ➜ www.checkpoint.tips
1 Solution

Accepted Solutions
Chris_Atkinson
Employee Employee
Employee

sk11088 describes that very procedure (example above).

CCSM R77/R80/ELITE

View solution in original post

9 Replies
_Val_
Admin
Admin

I miss big red disclamer at the end of this article saying:

Never ever forget to turn it back on

HeikoAnkenbrand
Champion Champion
Champion

I still write that in the article 🙂

➜ CCSM Elite, CCME, CCTE ➜ www.checkpoint.tips
nevillekuo
Employee Employee
Employee

Some of my customer turned it off for some reason even if only 1 internet connection(They just see so many out of state drop), if we still enabled all threat prevention functions what's the drawback if tcp syn check is turned off?

_Val_
Admin
Admin

Out of state drops usually indicate a routing issue and should not be just ignored. Disabling stateful is a severe security degradation.

nevillekuo
Employee Employee
Employee

I understand, but it's hard to explain why encountered routing issue when only 1 internet connection, not just 2 or 3 customers, it's many, maybe we should consider sk11088 as a best solution for this.

_Val_
Admin
Admin

I disagree. You should override stateful ONLY if you investigated the situation properly and proved it is an application that is not respecting the TCP state. This is what sk11088 is about.

r1der
Advisor

Is it possible to do this just for a certain destination and not the entire gateway? 
I'm reading multiple threads about the First packet isn't SYN. The TCP Flag is FIN-ACK (log card from Client --> Server).
I'm not able to determine if these drops I am seeing are causing the issue, we're seeing with timing out on a website.

We've already reached out to application support, who suggest taking a look at our firewall.

Thanks,

0 Kudos
Chris_Atkinson
Employee Employee
Employee

sk11088 describes that very procedure (example above).

CCSM R77/R80/ELITE
Jim_Holmes
Employee Alumnus
Employee Alumnus

There is a good chance it is not causing a noticeable problem. It is likely to be a scan if it is on an external interface. On an internal interface, it tends to point to a network problem (interface speed/duplex not matching is still what I see the most.) Of course, TAC is your best bet, but have the network folks in on it. It's a firewall problem until they find out a mouse ate the cable.

Aka, Chillyjim
0 Kudos

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

Upcoming Events

    CheckMates Events