cancel
Showing results for 
Search instead for 
Did you mean: 
Create a Post

Seeing full 3-way handshake for connection that should be blocked

Hi there,

We had someone do a port scan and packet capture against our gateways from the internet. The report came back with a bunch of ports "open" for one of our IP addresses.

for one of the "open" ports - FTP (tcp 21) the packet capture clearly shows the 3-way TCP handshake completes but the firewall log shows the connection is dropped. The capture desnt show any RST from the gateway. The firewall log shows no traffic actually makes it to the server behind the firewall, but the connecting host sees TCP session establishment.

My question is, is it normal for the gateway to complete the TCP build-up before dropping the connection? I was under the impression first SYN from the connecting host was evaluated against the ruleset.

Tags (3)
5 Replies
Highlighted
Nüüül
Silver

Re: Seeing full 3-way handshake for connection that should be blocked

Hi,

first, when ruleset says „drop“ there will be no RST. The firewall will just kind of ignore the packet. 

For RST you‘d need „Reject“ as action.

Maybe, some of these open ports are covered by the implicit rules. Do you have set „log implicit rules“ at the global properties?

Regarding the packet capture and 3way handshake we‘d need more information. What blades are on? Maybe someNAT or in place?

0 Kudos

Re: Seeing full 3-way handshake for connection that should be blocked

Hi Christopher Barnes,

I think it  works a prozesse or daemon on this port for example client authentication.

1) Look on this port. It should be port 21 in listen mode on gateway if necessary.

# netstat -npl |grep 21

Now you see the process bound to port 21. Now you can found the Check Point Processes and Daemons in this SK. That should give a clue what triggers the 3-way handshake.

2) Could be a UP Policy under R80.10 or R80.20.

3) Check which blades are on.

Regards

Heiko

Admin
Admin

Re: Seeing full 3-way handshake for connection that should be blocked

What rule is allowing the traffic?

A screenshot of the rule and the generated log entry (with sensitive info obscured) might be helpful.

0 Kudos

Re: Seeing full 3-way handshake for connection that should be blocked

Is the Protocol Signature checkbox set on the FTP service as shown?  If so read the warning below:

--

CheckMates Break Out Sessions Speaker

CPX 2019 Las Vegas & Vienna - Tuesday@13:30

"IPS Immersion Training" Self-paced Video Class
Now Available at http://www.maxpowerfirewalls.com

Re: Seeing full 3-way handshake for connection that should be blocked

Right, if protocol signature is enabled, it will complete the handshake and look for the protocol signature in the subsequent data packets to complete the rulebase matching.