This website uses Cookies. Click Accept to agree to our website's cookie use as described in our Privacy Policy. Click Preferences to customize your cookie settings.
Accept
Reject
Preferences
ABOUT CHECKMATES CYBER SECURITY COMMUNITY & FAQ
Create a Post
Help
cancel
Turn on suggestions
Showing results for 
Search instead for 
Did you mean: 

Are you a member of CheckMates?

×
Sign in with your Check Point UserCenter/PartnerMap account to access more great content and get a chance to win some Apple AirPods! If you don't have an account, create one now for free!
Ramawatar_Maury
Participant
‎2018-07-06 10:54 AM
Jump to solution

TCP packet out of state: First packet isn't SYN; tcp_flags: SYN-ACK" log in SmartView Tracker

I have 5600 appliance running on Gaia R77.30 that is behind Sophos IPS and Sophos IPS is in bridge mode.

I am installing all latest hot fix but issue is still same some website is not accessible and in SmartView tracker that is showing TCP packet out of state: First packet isn't SYN; tcp_flags: SYN-ACK" .@

 

1 Solution

Accepted Solutions
Timothy_Hall
Legend Legend
Legend
‎2018-07-08 07:03 AM
In response to Ramawatar_Maury
Jump to solution

If I'm understanding your reply correctly, you are removing a Sophos firewall and trying to replace it with a Check Point.  The instant the Check Point is connected you will get a flurry of "out of state" messages, since all the existing connections at the time of replacement are not known to the Check Point, and by default will be dropped. 

You can blunt the impact of this replacement by unchecking "Drop out of state TCP packets" under Global Properties...Stateful Inspection and reinstalling policy to the firewall prior to the cutover.  Unchecking this box will cause the firewall to attempt to "resurrect" the existing connections back into the state table and allow them to continue.  You can also switch off the dropping of out of state TCP packets "on the fly" by running this command on the gateway: fw ctl set int fw_allow_out_of_state_tcp 1

Do not forget to recheck the "Drop out of state TCP packets" checkbox once the firewall replacement is complete and you have successfully executed your test plan.  This setting should not be left disabled!

--
Second Edition of my "Max Power" Firewall Book
Now Available at http://www.maxpowerfirewalls.com

Attend my online "Be your Own TAC: Part Deux" CheckMates event
March 27th with sessions for both the EMEA and Americas time zones

View solution in original post

5 Replies
Houssameddine_1
Collaborator
‎2018-07-06 01:51 PM
Jump to solution

You might need to start by traffic captures and check the traffic flow after that you might start looking at timers for tcp connection.

0 Kudos
Timothy_Hall
Legend Legend
Legend
‎2018-07-06 02:29 PM
Jump to solution

Please see my response in the thread below for guidance about how to troubleshoot this message:

https://community.checkpoint.com/message/9300-re-first-packet-isnt-sync?commentID=9300#comment-9300 

--
Second Edition of my "Max Power" Firewall Book
Now Available at http://www.maxpowerfirewalls.com

Attend my online "Be your Own TAC: Part Deux" CheckMates event
March 27th with sessions for both the EMEA and Americas time zones
0 Kudos
Ramawatar_Maury
Participant
‎2018-07-06 11:46 PM
In response to Timothy_Hall
Jump to solution

Dear Timothy

Thanks for your response i am trying all these step but issue is still same i am also trying to remove Sophos FW and terminate cable directly on  Checkpoint 5600 appliance unmark URL filtering blade create one policy that is source LAN destination any services any allow with log enable.

0 Kudos
Timothy_Hall
Legend Legend
Legend
‎2018-07-08 07:03 AM
In response to Ramawatar_Maury
Jump to solution

If I'm understanding your reply correctly, you are removing a Sophos firewall and trying to replace it with a Check Point.  The instant the Check Point is connected you will get a flurry of "out of state" messages, since all the existing connections at the time of replacement are not known to the Check Point, and by default will be dropped. 

You can blunt the impact of this replacement by unchecking "Drop out of state TCP packets" under Global Properties...Stateful Inspection and reinstalling policy to the firewall prior to the cutover.  Unchecking this box will cause the firewall to attempt to "resurrect" the existing connections back into the state table and allow them to continue.  You can also switch off the dropping of out of state TCP packets "on the fly" by running this command on the gateway: fw ctl set int fw_allow_out_of_state_tcp 1

Do not forget to recheck the "Drop out of state TCP packets" checkbox once the firewall replacement is complete and you have successfully executed your test plan.  This setting should not be left disabled!

--
Second Edition of my "Max Power" Firewall Book
Now Available at http://www.maxpowerfirewalls.com

Attend my online "Be your Own TAC: Part Deux" CheckMates event
March 27th with sessions for both the EMEA and Americas time zones
Ramawatar_Maury
Participant
‎2018-07-08 11:22 PM
In response to Timothy_Hall
Jump to solution

Dear Timothy 

Thanks for your response its work for me. 

0 Kudos

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

View All ≫
Upcoming Events

    Sort by:
    CheckMates Events
    Top