- Local User Groups
I am Dr. Dorit Dor
Ask Me Anything
Check Point for Beginners
Welcome to the
Working From Home
Review Check Point,
Win Apple AirPods!
You're Using It Wrong
We had someone do a port scan and packet capture against our gateways from the internet. The report came back with a bunch of ports "open" for one of our IP addresses.
for one of the "open" ports - FTP (tcp 21) the packet capture clearly shows the 3-way TCP handshake completes but the firewall log shows the connection is dropped. The capture desnt show any RST from the gateway. The firewall log shows no traffic actually makes it to the server behind the firewall, but the connecting host sees TCP session establishment.
My question is, is it normal for the gateway to complete the TCP build-up before dropping the connection? I was under the impression first SYN from the connecting host was evaluated against the ruleset.
first, when ruleset says „drop“ there will be no RST. The firewall will just kind of ignore the packet.
For RST you‘d need „Reject“ as action.
Maybe, some of these open ports are covered by the implicit rules. Do you have set „log implicit rules“ at the global properties?
Regarding the packet capture and 3way handshake we‘d need more information. What blades are on? Maybe someNAT or in place?
I think it works a prozesse or daemon on this port for example client authentication.
1) Look on this port. It should be port 21 in listen mode on gateway if necessary.
# netstat -npl |grep 21
Now you see the process bound to port 21. Now you can found the Check Point Processes and Daemons in this SK. That should give a clue what triggers the 3-way handshake.
2) Could be a UP Policy under R80.10 or R80.20.
3) Check which blades are on.
What rule is allowing the traffic?
A screenshot of the rule and the generated log entry (with sensitive info obscured) might be helpful.
Is the Protocol Signature checkbox set on the FTP service as shown? If so read the warning below:
CheckMates Break Out Sessions Speaker
CPX 2019 Las Vegas & Vienna - Tuesday@13:30
Right, if protocol signature is enabled, it will complete the handshake and look for the protocol signature in the subsequent data packets to complete the rulebase matching.