This website uses Cookies. Click Accept to agree to our website's cookie use as described in our Privacy Policy. Click Preferences to customize your cookie settings.
Accept
Reject
Preferences
ABOUT CHECKMATES CYBER SECURITY COMMUNITY & FAQ
Create a Post
Help
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

Are you a member of CheckMates?

×
Sign in with your Check Point UserCenter/PartnerMap account to access more great content and get a chance to win some Apple AirPods! If you don't have an account, create one now for free!
Christopher_Bar
Explorer
‎2018-12-23 05:31 PM

Seeing full 3-way handshake for connection that should be blocked

Hi there,

We had someone do a port scan and packet capture against our gateways from the internet. The report came back with a bunch of ports "open" for one of our IP addresses.

for one of the "open" ports - FTP (tcp 21) the packet capture clearly shows the 3-way TCP handshake completes but the firewall log shows the connection is dropped. The capture desnt show any RST from the gateway. The firewall log shows no traffic actually makes it to the server behind the firewall, but the connecting host sees TCP session establishment.

My question is, is it normal for the gateway to complete the TCP build-up before dropping the connection? I was under the impression first SYN from the connecting host was evaluated against the ruleset.

5 Replies
Nüüül
Advisor
‎2018-12-24 12:45 AM

Hi,

first, when ruleset says „drop“ there will be no RST. The firewall will just kind of ignore the packet. 

For RST you‘d need „Reject“ as action.

Maybe, some of these open ports are covered by the implicit rules. Do you have set „log implicit rules“ at the global properties?

Regarding the packet capture and 3way handshake we‘d need more information. What blades are on? Maybe someNAT or in place?

0 Kudos
HeikoAnkenbrand
Champion Champion
Champion
‎2018-12-24 03:21 AM

Hi Christopher Barnes,

I think it  works a prozesse or daemon on this port for example client authentication.

1) Look on this port. It should be port 21 in listen mode on gateway if necessary.

# netstat -npl |grep 21

Now you see the process bound to port 21. Now you can found the Check Point Processes and Daemons in this SK. That should give a clue what triggers the 3-way handshake.

2) Could be a UP Policy under R80.10 or R80.20.

3) Check which blades are on.

Regards

Heiko

➜ CCSM Elite, CCME, CCTE ➜ www.checkpoint.tips
PhoneBoy
Admin
Admin
‎2018-12-24 09:17 AM

What rule is allowing the traffic?

A screenshot of the rule and the generated log entry (with sensitive info obscured) might be helpful.

0 Kudos
Timothy_Hall
Legend Legend
Legend
‎2018-12-24 02:02 PM

Is the Protocol Signature checkbox set on the FTP service as shown?  If so read the warning below:

--

CheckMates Break Out Sessions Speaker

CPX 2019 Las Vegas & Vienna - Tuesday@13:30

Gateway Performance Optimization R81.20 Course
now available at maxpowerfirewalls.com
Kishin_Fatnani
Participant
‎2018-12-27 09:15 AM
In response to Timothy_Hall

Right, if protocol signature is enabled, it will complete the handshake and look for the protocol signature in the subsequent data packets to complete the rulebase matching. 

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

View All ≫
Upcoming Events

    Sort by:
    CheckMates Events