This website uses Cookies. Click Accept to agree to our website's cookie use as described in our Privacy Policy. Click Preferences to customize your cookie settings.
Accept
Reject
Preferences
ABOUT CHECKMATES CYBER SECURITY COMMUNITY & FAQ
Create a Post
Help
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

Are you a member of CheckMates?

×
Sign in with your Check Point UserCenter/PartnerMap account to access more great content and get a chance to win some Apple AirPods! If you don't have an account, create one now for free!
Varul_Leir
Participant
Participant
‎2018-09-05 01:26 PM

Out of State TCP Check Behavior when Re-Enabled

Hello CheckMates Community,

We are in the process of refreshing out Hardware and will be running the new Firewalls in parallel with the old.

For the cutover we are planning to simply change the routing currently pointed to Check Point Firewalls to the new Check Point Firewalls.

To reduce impact I was considering disabling Out of State TCP checks for the initial cutover with the assumption that the Firewall would then build it's session table without worrying about seeing the initial SYN allowing the current active sessions to stay active. Once we confirmed everything was up and functional I was going to enable the Out of State checks.  

My question is: Does the Firewall build the session table and then no longer care about Out of State Packets once a session is in the table or once re-enabled it will simply drop all connections it never saw a TCP SYN for?

Regards,

Varul Leir

0 Kudos
4 Replies
Lari_Luoma
Ambassador Ambassador
Ambassador
‎2018-09-05 03:05 PM

Hi There!

Check Point supports Connectivity Upgrade (CU) as explained in sk107042. This means that if you are upgrading from earlier release to R80.x the state tables will be synchronized and no need to play with the out-of-state packets anymore.

0 Kudos
PhoneBoy
Admin
Admin
‎2018-09-05 04:03 PM
In response to Lari_Luoma

Except if you're changing hardware, CU won't be an option.

But: Once a connection is in the state table, changing the state of "Allow Out-of-State TCP" shouldn't drop existing connections (whether or not it saw the initial SYN).

Lari_Luoma
Ambassador Ambassador
Ambassador
‎2018-09-05 04:06 PM
In response to PhoneBoy

Correct. I missed the HW change part. 🙂

0 Kudos
Varul_Leir
Participant
Participant
‎2018-09-05 04:29 PM

Thank you both for the responses. 

This is how assumed it functioned but wanted to confirm.


Lari, 

The upgrade SK will come in handy down the road much appreciated. 

0 Kudos

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

View All ≫
Upcoming Events

    Sort by:
    CheckMates Events