cancel
Showing results for 
Search instead for 
Did you mean: 
Create a Post
Highlighted

TCP Fast Open

Hi,

I have recently been doing some research into the experimental TCP mechanism called 'TCP Fast Open'.  I wondered how Checkpoint deals with this traffic? Does the traffic get dropped because it does not comply with the TCP 3 way handshake mechanism because there is 'data' attached to the SYN.

I can see on the Internet that some other firewall vendors have some information/guidelines/suggestions on how 'they' deal with with this feature/setting; are there any plans to create similar documentation for Check Point?

Thanks

Paul Norman

 

0 Kudos
4 Replies
Highlighted

Re: TCP Fast Open

sorry I have just realised I have posted this to the wrong board - could it please be moved to the correct place?

0 Kudos
Highlighted
Admin
Admin

Re: TCP Fast Open

Not sure how the gateway would differentiate a legit TCP Fast Open from an illegitimate one, given the cryptographic nature of it.
I suspect (but don’t know for sure) that the initial SYN would be allowed but until the three way handshake completed, the data packets would be dropped due to “Out of State.”

Edit: it appears, per some TAC cases, that we will drop SYN packets that include data, which means TCP Fast Open won’t be supported.

0 Kudos
Highlighted
Ivory

RFC 7413 TCP fast open

Any support for RFC 7413 TCP fast open on Checkpoint Firewalls?

0 Kudos
Highlighted
Admin
Admin

Re: RFC 7413 TCP fast open

Note I merged your question with another similar thread.
Short answer: it appears it is not supported since SYN packets with data (needed for TCP Fast Open) would be dropped.
0 Kudos