Create a Post
cancel
Showing results for 
Search instead for 
Did you mean: 
Christopher_Bar
Explorer

Seeing full 3-way handshake for connection that should be blocked

Hi there,

We had someone do a port scan and packet capture against our gateways from the internet. The report came back with a bunch of ports "open" for one of our IP addresses.

for one of the "open" ports - FTP (tcp 21) the packet capture clearly shows the 3-way TCP handshake completes but the firewall log shows the connection is dropped. The capture desnt show any RST from the gateway. The firewall log shows no traffic actually makes it to the server behind the firewall, but the connecting host sees TCP session establishment.

My question is, is it normal for the gateway to complete the TCP build-up before dropping the connection? I was under the impression first SYN from the connecting host was evaluated against the ruleset.

5 Replies
Nüüül
Advisor

Hi,

first, when ruleset says „drop“ there will be no RST. The firewall will just kind of ignore the packet. 

For RST you‘d need „Reject“ as action.

Maybe, some of these open ports are covered by the implicit rules. Do you have set „log implicit rules“ at the global properties?

Regarding the packet capture and 3way handshake we‘d need more information. What blades are on? Maybe someNAT or in place?

0 Kudos
HeikoAnkenbrand
Champion Champion
Champion

Hi Christopher Barnes,

I think it  works a prozesse or daemon on this port for example client authentication.

1) Look on this port. It should be port 21 in listen mode on gateway if necessary.

# netstat -npl |grep 21

Now you see the process bound to port 21. Now you can found the Check Point Processes and Daemons in this SK. That should give a clue what triggers the 3-way handshake.

2) Could be a UP Policy under R80.10 or R80.20.

3) Check which blades are on.

Regards

Heiko

➜ CCSM Elite, CCME, CCTE
PhoneBoy
Admin
Admin

What rule is allowing the traffic?

A screenshot of the rule and the generated log entry (with sensitive info obscured) might be helpful.

0 Kudos
Timothy_Hall
Champion
Champion

Is the Protocol Signature checkbox set on the FTP service as shown?  If so read the warning below:

--

CheckMates Break Out Sessions Speaker

CPX 2019 Las Vegas & Vienna - Tuesday@13:30

Gateway Performance Optimization R81.20 Course
now available at maxpowerfirewalls.com
Kishin_Fatnani
Participant

Right, if protocol signature is enabled, it will complete the handshake and look for the protocol signature in the subsequent data packets to complete the rulebase matching. 

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

Upcoming Events

    CheckMates Events