cancel
Showing results for 
Search instead for 
Did you mean: 
Create a Post

Fragmented packet with IPS(R80.10)

If fragmented packets reach a firewall with activated IPS they get buffered.
This also increases the cpu load.
If the limit of the buffer is reached, new received packets get dropped.

How can we check, if packets get dropped because of this problem?
Are any statistics available to check, if packets had been dropped before?
How can we check the buffer size that is configured?
Which parameters can be changed to increase the buffer size ?

0 Kudos
2 Replies
Highlighted

Re: Fragmented packet with IPS(R80.10)

If the Inspection Setting/IPS Protection is configured to "log" you should see current and past drops in smartlog. I think "IP Fragments" in Security Policy -> Inspection Settings should be the right place to configure this. You can also change the buffer size there. "fw ctl pstat" in expert mode gives you statistics about fragments, as does "netstat -s".

0 Kudos

Re: Fragmented packet with IPS(R80.10)

Check Point firewalls perform virtual defragmentation of IP packets, on R80.10 gateway and earlier the virtual defragmentation must occur in the Firewall/F2F path. In R80.20 and later fragmented packets are eligible for some acceleration by SecureXL.  In R80.10 and later virtual defragmentation is part of the Inspection Settings (IP Fragments) in the Access Control policy, so the IPS blade does not need to be enabled for this function to occur.

When the first frag is received, it is buffered until all fragments of the original packet have arrived.  The firewall will wait up to 1 second by default (tunable in the IP Fragments Inspection Settings) for all fragments to arrive, if they don't all make it in time all the buffered fragments are discarded and a "Virtual defragmentation error: Timeout, Failed to generate IP packet from fragments" error message is written to the log, and the Fragments...expired counter shown in the fw ctl pstat output is incremented. You can also see the "pkt is a fragment" counter get incremented by SecureXL in the output of fwaccel stats -p.

Once it has all the fragments the firewall virtually reassembles the original packet and inspects it.  Assuming it passes inspection and is not dropped for some reason, the original fragments are then sent on their way.  If you are concerned about the CPU and logging overhead caused by the handling of fragments you can simply forbid them, but please read all of the following from my book before doing so and make sure you understand the ramifications of what you are doing:

 

Spoiler

If the fragment numbers seem high, run this tcpdump command to see all fragmented
packets and figure out where they are coming from:

tcpdump -eni any '((ip[6:2] > 0) and (not ip[6] = 64))'


Any traffic appearing in this output is fragmented; notice that the -e option will also
show you the source MAC address of the entity that sent the fragmented packet to the
firewall, in order to help you trace the fragmented packet back to its origin. The only
way to correct this situation is to ensure a consistent MTU value is in use throughout
your internal and DMZ networks. In the real world when a large amount of internal
traffic is improperly fragmented, it is usually due a misconfigured MTU on a router
somewhere. I’ve seen correcting an internal MTU issue such as this make a huge
difference in firewall performance. Of course there are situations where low MTUs are
legitimately present due to legacy private network connections to partners or vendors (i.e.
56Kbps lines, dialup lines & ISDN).


If you are concerned about fragments impacting the performance of the firewall, it is
possible to forbid IP fragments from crossing the firewall at all.


WARNING:If a large portion of your network’s legitimate production traffic is fragmented,
forbidding fragments on the firewall will cause a massive outage. Run the tcpdump
command mentioned earlier and MAKE SURE that you don’t have legitimate production
traffic in your network that is fragmented before you decide to try forbidding IP
fragments!


Fragments can be disabled in the R77.30 SmartDashboard under the IPS
tab...Protections...IP Fragments...(IPS Profile in use by your firewall)...Forbid IP
Fragments checkbox. In R80+ management the setting is located under “Inspection
Settings”.

 

 

"IPS Immersion Training" Self-paced Video Class
Now Available at http://www.maxpowerfirewalls.com
0 Kudos