This website uses Cookies. Click Accept to agree to our website's cookie use as described in our Privacy Policy. Click Preferences to customize your cookie settings.
Accept
Reject
Preferences
ABOUT CHECKMATES CYBER SECURITY COMMUNITY & FAQ
Create a Post
Help
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

Are you a member of CheckMates?

×
Sign in with your Check Point UserCenter/PartnerMap account to access more great content and get a chance to win some Apple AirPods! If you don't have an account, create one now for free!
minhhaivietnam
Collaborator
‎2019-09-23 06:48 PM
Jump to solution

Meaning of flag in packet dropped

Hello Checkmate,

Please who tell me what is meaning of flag below:

This log saying that this TCP session is timeout and packet is dropped. But I'm not sure that RST-ACK/RST flag below , is send from Server or Client or  from Firewall

IF it is from firewall; send to both side (client & Server) ? and what is the purpose for sending this flag?

IF it is from Server ( or client) , is purpose that: tell other end-point to close connection?

Is type of packet with this flag impact performance of network?

 

 

THANK A LOT!!!

 

 

 

 

0 Kudos
1 Solution

Accepted Solutions
Timothy_Hall
Legend Legend
Legend
‎2019-09-24 05:16 AM
Jump to solution

Please see my post here for an explanation of what TCP flags in a log entry like this are significant, and which can be ignored:

https://community.checkpoint.com/t5/General-Topics/First-packet-isn-t-SYN/m-p/7021

 

Gateway Performance Optimization R81.20 Course
now available at maxpowerfirewalls.com

View solution in original post

4 Replies
Timothy_Hall
Legend Legend
Legend
‎2019-09-24 05:16 AM
Jump to solution

Please see my post here for an explanation of what TCP flags in a log entry like this are significant, and which can be ignored:

https://community.checkpoint.com/t5/General-Topics/First-packet-isn-t-SYN/m-p/7021

 

Gateway Performance Optimization R81.20 Course
now available at maxpowerfirewalls.com
minhhaivietnam
Collaborator
‎2019-09-24 07:45 AM
In response to Timothy_Hall
Jump to solution

Thank sir,

I've checked my firewall , it is configured to send RST packet upon expiration session. So this is reason I saw RST flag on my log.

One more question about RST-ACK flag in first picture: I'm not sure whether this flag is come from ? or it also generated by firewall.

 

Thanks again!

 

 

 

 

 

0 Kudos
G_W_Albrecht
Legend Legend
Legend
‎2019-09-24 07:55 AM
In response to minhhaivietnam
Jump to solution

Explain what ? The referred article contains the complete picture - and how TCP connections work should be clear to you anyway...

CCSP - CCSE / CCTE / CTPS / CCME / CCSM Elite / SMB Specialist
0 Kudos
Timothy_Hall
Legend Legend
Legend
‎2019-09-24 08:42 AM
In response to minhhaivietnam
Jump to solution

Looking at your screenshot it appears that BD_ originally initiated a connection to FO_ on destination TCP port 5703 and source port 53049.  BD_ appears to have originated the RST to FO_ (not the firewall itself), but it was blocked by the firewall since the connection was probably already dead on the firewall (i.e. no longer recorded in the connections state table).  As mentioned in my linked article this RST drop situation can generally be ignored since BD_ is quite aware that the connection is dead (its sending a RST), the firewall is aware too (has no connections table entry), so it is now up to FO_ to figure out the connection is dead, but it may have already done so anyway.  No way to tell for sure about the state of FO_ here.

 

Gateway Performance Optimization R81.20 Course
now available at maxpowerfirewalls.com

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

View All ≫
Upcoming Events

    Sort by:
    CheckMates Events