Hi Jerry Szpinak‌, yes it is googleble, but this situation is going to court, so I need as much information as possible from trusted source. But thanks Anyways

ah ok, I didn't know that it is about that serious, my apologize for a vague response then.

with regards to the official docs - please stick the the CP sk's as they'are vendor-specific well crafted documentation uses by the whole community and highly recognized within the network security landscape - if I were you and I was about to support the court-case I would definitely use the sk's mentioned earlier as a starting point.

when needed you can always use the wikipedia and cpug to support theoretical architecture of the SPI/DPI etc.

hope it helps and ... my 5 cents "poor ex-employee"   I wish him good luck  

Thanks. I guess that is what I am going to do.

Here is the picture, the circled options were unchecked.

If you click on the question mark in the upper right corner of this screen, you will see the online help that describes these options.

They are also described in the product documentation and SK. 

Note that these are the default settings for the circled options, so it's clear they were adjusted by someone else.

The following are my explanations of how these features work and should not be construed as "official documentation." 

Unlike TCP, which tracks connection state as part of the protocol, UDP does not.

If Accept Stateful UDP Replies for Unknown Services is ticked (or the "Accept replies" option in the service definition) the way we determine if a UDP packet is part of a valid session is if we see a response to it.

A response would depend on how the outgoing request is constructed.

Assume that I am host A talking to host B on UDP port X.

Host A would initiate that connection from source port Y via UDP to Host B to destination port X.

If Host B responds with a packet from source port X to Host A on destination port Y, then a "virtual session" is established.

Packets that come from Host A on source port Y Host B to destination port X and from Host B on source port X to host A will continue to be allowed until no packets are seen on this "session" for the UDP virtual session timeout.

Then the session will be closed.

Drop Out Of State TCP packets will drop TCP packets that appear to be unrelated to a connection seen by the Security Gateway.

For the gateway to consider a connection "seen" it must observe the three-way handshake that occurs when the TCP connection is established.

The initial SYN packet would be checked against the Access Policy.

Once the connection is established, the connection is tracked until it closes or the connection "times out" (no packets on the connection seen for the TCP timeout).

ICMP, similar to UDP, doesn't really have "state" associated with it.

That said, based on traffic that is permitted, you can infer what would be expected in terms of an ICMP response.

Provided such packets are sent within the ICMP virtual session timeout, they are permitted.

For example, if I permit an ICMP Echo Request (ping) through the gateway, you might expect to see an ICMP Echo Reply or ICMP Host/Network Unreachable message as a response.

An ICMP Host Unreachable or TTL Time Expired might be expected if I'm doing a traceroute somewhere.

This is not an exhaustive list, but it gives you an idea of what this option is intended for.

"Note that these are the default settings for the circled options, so it's clear they were adjusted by someone else." 

Yes, I found the logs in smartView tracker in the Management Tab.

Thank you Dameon Welch Abernathy‌ you save me big time. Much appreciated.