Solved: Disable Stateful Inspection

HeikoAnkenbrand · ‎2021-06-01

I had the emergency during an upgrade that I had to disable "Stateful Inspection" for TCP connetions (for a short time).
If you only want to turn this off for a short time, the best way to do this is on the gateways on the fly.

Attention:
If you do this, it can have a problematic security effect on the gateways.

Here are the three solutions:

1) Via SmartConsole --> more read here sk117374

2) or on the Management Server via INSPECT code
Add the folowing lines to the user.def and install the policy --> more read here: sk11088

     //
     // User defined INSPECT code
     //

     /* Start of INSPECT modification - sk11088 */
     net1={ <0.0.0.1, 239.255.255.255> };
     deffunc user_accept_non_syn() {((src in net1) or (dst in net1)) };

/* End of INSPECT modification */

#endif /* ifndef IPV6_FLAVOR */
#endif /* ifndef __user_def__ */

3) or on the Gateway on the fly --> more read here sk117374

expert mode# fw ctl set int fw_allow_out_of_state_tcp 1

Attention:
Never ever forget to turn it back on.
(Thanks @_Val_, good comment from you.)

➜ CCSM Elite, CCME, CCTE ➜ www.checkpoint.tips

Chris_Atkinson · ‎2022-12-12

sk11088 describes that very procedure (example above).

CCSM R77/R80/ELITE

View solution in original post

_Val_ · ‎2021-06-01

I miss big red disclamer at the end of this article saying:

Never ever forget to turn it back on

HeikoAnkenbrand · ‎2021-06-01

I still write that in the article 🙂

➜ CCSM Elite, CCME, CCTE ➜ www.checkpoint.tips

nevillekuo · ‎2021-06-03

Some of my customer turned it off for some reason even if only 1 internet connection(They just see so many out of state drop), if we still enabled all threat prevention functions what's the drawback if tcp syn check is turned off?

_Val_ · ‎2021-06-09

Out of state drops usually indicate a routing issue and should not be just ignored. Disabling stateful is a severe security degradation.

nevillekuo · ‎2021-06-09

I understand, but it's hard to explain why encountered routing issue when only 1 internet connection, not just 2 or 3 customers, it's many, maybe we should consider sk11088 as a best solution for this.

_Val_ · ‎2021-06-09

I disagree. You should override stateful ONLY if you investigated the situation properly and proved it is an application that is not respecting the TCP state. This is what sk11088 is about.

r1der · ‎2022-12-12

Is it possible to do this just for a certain destination and not the entire gateway?
I'm reading multiple threads about the First packet isn't SYN. The TCP Flag is FIN-ACK (log card from Client --> Server).
I'm not able to determine if these drops I am seeing are causing the issue, we're seeing with timing out on a website.

We've already reached out to application support, who suggest taking a look at our firewall.

Thanks,

Chris_Atkinson · ‎2022-12-12

sk11088 describes that very procedure (example above).

CCSM R77/R80/ELITE

Jim_Holmes · ‎2022-12-13

There is a good chance it is not causing a noticeable problem. It is likely to be a scan if it is on an external interface. On an internal interface, it tends to point to a network problem (interface speed/duplex not matching is still what I see the most.) Of course, TAC is your best bet, but have the network folks in on it. It's a firewall problem until they find out a mouse ate the cable.

Aka, Chillyjim

Are you a member of CheckMates?

Disable Stateful Inspection