Create a Post
cancel
Showing results for 
Search instead for 
Did you mean: 
pnorman821
Participant

TCP Fast Open

Hi,

I have recently been doing some research into the experimental TCP mechanism called 'TCP Fast Open'.  I wondered how Checkpoint deals with this traffic? Does the traffic get dropped because it does not comply with the TCP 3 way handshake mechanism because there is 'data' attached to the SYN.

I can see on the Internet that some other firewall vendors have some information/guidelines/suggestions on how 'they' deal with with this feature/setting; are there any plans to create similar documentation for Check Point?

Thanks

Paul Norman

 

0 Kudos
4 Replies
pnorman821
Participant

sorry I have just realised I have posted this to the wrong board - could it please be moved to the correct place?

0 Kudos
PhoneBoy
Admin
Admin

Not sure how the gateway would differentiate a legit TCP Fast Open from an illegitimate one, given the cryptographic nature of it.
I suspect (but don’t know for sure) that the initial SYN would be allowed but until the three way handshake completed, the data packets would be dropped due to “Out of State.”

Edit: it appears, per some TAC cases, that we will drop SYN packets that include data, which means TCP Fast Open won’t be supported.

0 Kudos
whitey
Explorer

Any support for RFC 7413 TCP fast open on Checkpoint Firewalls?

0 Kudos
PhoneBoy
Admin
Admin

Note I merged your question with another similar thread.
Short answer: it appears it is not supported since SYN packets with data (needed for TCP Fast Open) would be dropped.
0 Kudos

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

Upcoming Events

    CheckMates Events