This website uses Cookies. Click Accept to agree to our website's cookie use as described in our Privacy Policy. Click Preferences to customize your cookie settings.
Accept
Reject
Preferences
ABOUT CHECKMATES CYBER SECURITY COMMUNITY & FAQ
Create a Post
Help
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

Are you a member of CheckMates?

×
Sign in with your Check Point UserCenter/PartnerMap account to access more great content and get a chance to win some Apple AirPods! If you don't have an account, create one now for free!
Maciej_Krol
Participant
‎2020-05-28 08:31 AM

R80.30 and HFA 195 - TCP state logging stopped working

Hi,

after update from R80.30 HFA140 to R80.30 HFA195 I see that TCP state logging stopped working. In logs I see just “SYN sent” even if the TCP session is successful.

I tried to disable Secure XL (fwaccel off) and that resolves the issue. Problem is that in R80.30 option to disable SecureXl permanently simply doesn`t exist. Do you have any idea how to disable SecureXL permanently or have correct tcp state logging with SexureXL enabled? I would like to have working TCP state logging all the time which is crucial during quick troubleshooting basing on Smartlog (instead of packet capture). Thanks.

 

/BR

MK

 

 

0 Kudos
8 Replies
PhoneBoy
Admin
Admin
‎2020-05-28 09:30 AM

We removed the ability to permanently disable SecureXL in R80.20.
If the solution to your problem involves disabling SecureXL, it's a bug and you should open a TAC case.
0 Kudos
Maciej_Krol
Participant
‎2020-05-28 09:37 AM
In response to PhoneBoy

Thank you for the quick reply PhoneBoy. I`ve opened a case 22nd of May (just after an upgrade), but unfortunately I have to say that support is not very responsive :\. Support "ping-pong" as usual, no quick hints at all. If you could help regarding this then I can provide you a service request number. Thanks!

0 Kudos
PhoneBoy
Admin
Admin
‎2020-05-28 01:15 PM
In response to Maciej_Krol

Can you send me the TAC SR in a PM?
I'll have someone look at it.
Maciej_Krol
Participant
‎2020-05-28 02:58 PM
In response to PhoneBoy

@PhoneBoy, I`ve sent the SR number in a PM, Thanks!

0 Kudos
_Val_
Admin
Admin
‎2020-05-29 12:34 AM

There are two options: 

sk162492 or sk104468

Maciej_Krol
Participant
‎2020-05-29 03:10 AM
In response to _Val_

Hi Valeri,

 

I`ve a quite simple scenario for testing this.  I`ve a tool which periodically does "telnet 1.2.3.4 443" over IPSEC tunnel to ensure that this is up. Source address is NAT`ed. The issue is very easy to replicate:

 

GW1> fwaccel stat
+-----------------------------------------------------------------------------+
|Id|Name |Status |Interfaces |Features |
+-----------------------------------------------------------------------------+
|0 |SND |disabled |eth1,eth2,eth3,Mgmt |Acceleration,Cryptography |
| | | | |Crypto: Tunnel,UDPEncap,MD5, |
| | | | |SHA1,NULL,3DES,DES,CAST, |
| | | | |CAST-40,AES-128,AES-256,ESP, |
| | | | |LinkSelection,DynamicVPN, |
| | | | |NatTraversal,AES-XCBC,SHA256 |
+-----------------------------------------------------------------------------+

Accept Templates : enabled
Drop Templates : disabled
NAT Templates : enabled

 

Smartlog for the connection try:

Tcp State    Both FIN

 

GW1> fwaccel on
SecureXL device enabled.
GW1> fwaccel stat
+-----------------------------------------------------------------------------+
|Id|Name |Status |Interfaces |Features |
+-----------------------------------------------------------------------------+
|0 |SND |enabled |eth1,eth2,eth3,Mgmt |Acceleration,Cryptography |
| | | | |Crypto: Tunnel,UDPEncap,MD5, |
| | | | |SHA1,NULL,3DES,DES,CAST, |
| | | | |CAST-40,AES-128,AES-256,ESP, |
| | | | |LinkSelection,DynamicVPN, |
| | | | |NatTraversal,AES-XCBC,SHA256 |
+-----------------------------------------------------------------------------+

Accept Templates : enabled
Drop Templates : disabled
NAT Templates : enabled

 

Smartlog for the connection try:

Tcp State    SYN sent

 

Of course after "fwaccel on" "telnet 1.2.3.4 443" is still successful, just Tcp State logging doesn`t show correct TCP state.

 

Case related to 1.2.3.4 is not just single address issue. When SecureXL is enabled we have problems with correct TCP state logging regarding many connections.

@_Val_ thank you for the suggestions. I`ve reviewed the SK`s.

sk162492

Disabling the SecureXL immediately resolves the issue which in my opinion confirms that there is bug in HFA195. In HFA140 TCP state logging worked correctly with SecureXL enabled.

sk104468

I would like to have correct TCP state logging for all traffic. I suspect that SecureXL exception for 0.0.0.0/0 is probably not a good idea?

 

 

 

0 Kudos
_Val_
Admin
Admin
‎2020-05-29 03:20 AM
In response to Maciej_Krol

1. If disabling acceleration fixed the issue, open TAC case at once.

2. No, not a good idea at all 🙂

Maciej_Krol
Participant
‎2020-05-29 03:42 AM
In response to _Val_

Sure, I opened a case just after upgrade to HFA195 on 22nd of May, but for now there is no resolution.

0 Kudos

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

View All ≫
Upcoming Events

    CheckMates Events