cancel
Showing results for 
Search instead for 
Did you mean: 
Create a Post
Highlighted

Out of State TCP Check Behavior when Re-Enabled

Hello CheckMates Community,

We are in the process of refreshing out Hardware and will be running the new Firewalls in parallel with the old.

For the cutover we are planning to simply change the routing currently pointed to Check Point Firewalls to the new Check Point Firewalls.

To reduce impact I was considering disabling Out of State TCP checks for the initial cutover with the assumption that the Firewall would then build it's session table without worrying about seeing the initial SYN allowing the current active sessions to stay active. Once we confirmed everything was up and functional I was going to enable the Out of State checks.  

My question is: Does the Firewall build the session table and then no longer care about Out of State Packets once a session is in the table or once re-enabled it will simply drop all connections it never saw a TCP SYN for?

Regards,

Varul Leir

0 Kudos
4 Replies
Employee+
Employee+

Re: Out of State TCP Check Behavior when Re-Enabled

Hi There!

Check Point supports Connectivity Upgrade (CU) as explained in sk107042. This means that if you are upgrading from earlier release to R80.x the state tables will be synchronized and no need to play with the out-of-state packets anymore.

0 Kudos
Admin
Admin

Re: Out of State TCP Check Behavior when Re-Enabled

Except if you're changing hardware, CU won't be an option.

But: Once a connection is in the state table, changing the state of "Allow Out-of-State TCP" shouldn't drop existing connections (whether or not it saw the initial SYN).

Employee+
Employee+

Re: Out of State TCP Check Behavior when Re-Enabled

Correct. I missed the HW change part. 🙂

0 Kudos

Re: Out of State TCP Check Behavior when Re-Enabled

Thank you both for the responses. 

This is how assumed it functioned but wanted to confirm.


Lari, 

The upgrade SK will come in handy down the road much appreciated. 

0 Kudos