I had the emergency during an upgrade that I had to disable "Stateful Inspection" for TCP connetions (for a short time).
If you only want to turn this off for a short time, the best way to do this is on the gateways on the fly.
Attention:
If you do this, it can have a problematic security effect on the gateways.
Here are the three solutions:
1) Via SmartConsole --> more read here sk117374
2) or on the Management Server via INSPECT code
Add the folowing lines to the user.def and install the policy --> more read here: sk11088
//
// User defined INSPECT code
//
/* Start of INSPECT modification - sk11088 */
net1={ <0.0.0.1, 239.255.255.255> };
deffunc user_accept_non_syn() {((src in net1) or (dst in net1)) };
/* End of INSPECT modification */
#endif /* ifndef IPV6_FLAVOR */
#endif /* ifndef __user_def__ */
3) or on the Gateway on the fly --> more read here sk117374
expert mode# fw ctl set int fw_allow_out_of_state_tcp 1
Attention:
Never ever forget to turn it back on.
(Thanks @_Val_, good comment from you.)
➜ CCSM Elite, CCME, CCTE ➜ www.checkpoint.tips