This website uses Cookies. Click Accept to agree to our website's cookie use as described in our Privacy Policy. Click Preferences to customize your cookie settings.
Accept
Reject
Preferences
ABOUT CHECKMATES CYBER SECURITY COMMUNITY & FAQ
Create a Post
Help
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

Are you a member of CheckMates?

×
Sign in with your Check Point UserCenter/PartnerMap account to access more great content and get a chance to win some Apple AirPods! If you don't have an account, create one now for free!
Herschel_Liang
Collaborator
‎2020-12-11 01:46 AM

TCP packet out of state:Server to client packet of an old TCP connection | TCP Flags:SYN | drop

Network diagram:

Internet                                       Production

Client behind FW     ---->         Border Router(NAT)   ---> CP --->  SFTP Server:TCP22

188.40.191.20                            (one map one)10.50.11.33                 10.30.7.201:22

 

Policy:

  S:10.50.11.33                 D:10.30.7.201                    service:ssh  &&  sshv2       Action:Allow

  S:10.30.7.0/24               D:any                                  service:any                            Action:Allow

 

Client(188.40.191.20) tries to access SFTP Server fail. connect time out.

But I just can see reverse direction logs as below:

Id: ac14481d-9b4b-f025-5fd3-32a26091001b
Marker: @A@@B@1607675798@C@2060526
Log Server Origin: 172.20.72.29
Time: 2020-12-11T08:49:38Z
Interface Direction: inbound
Interface Name: eth1-03
Id Generated By Indexer:false
First: true
Sequencenum: 1164
TCP packet out of state:Server to client packet of an old TCP connection
TCP Flags: SYN
Source: 10.30.7.201
Source Port: 22
Destination: 10.50.11.33
Destination Port: 12288
IP Protocol: 6
Action: Drop
Type: Connection
Policy Name: Standard
Policy Management: SmartCenter
Db Tag: {E8EF89A6-20F4-3044-91ED-72D3DD169570}
Policy Date: 2020-12-10T09:47:02Z
Blade: Firewall
Origin: ICDCFW-1
Service: TCP/12288
Product Family: Access
Logid: 1
Interface: eth1-03
Description: TCP/12288 Traffic Dropped from 10.30.7.201 to 10.50.11.33

 

Who can tell me why and how to solve it?

 

 

PCAP.zip
0 Kudos
5 Replies
PhoneBoy
Admin
Admin
‎2020-12-11 06:45 PM

Sounds the connection aged out of the connections table.
You can see if Smart Connection Reuse will help but I suspect a TAC case may be required: https://supportcenter.checkpoint.com/supportcenter/portal?eventSubmit_doGoviewsolutiondetails=&solut...

Herschel_Liang
Collaborator
‎2020-12-13 07:14 PM
In response to PhoneBoy

Tried the sk24960 solution, but it seems it still exists.

0 Kudos
JozkoMrkvicka
Authority
Authority
‎2020-12-12 01:50 AM

There is dedicated service SFTP which should be used instead of ssh (or sshv2).

Not sure if relevant, but some services (like TFTP) are using ephemeral ports which are required to be opened on the firewall.

Kind regards,
Jozko Mrkvicka
Herschel_Liang
Collaborator
‎2020-12-12 02:06 AM
In response to JozkoMrkvicka

It seems that no SFTP dedicated service in CP.

PhoneBoy
Admin
Admin
‎2020-12-12 04:05 PM

Right, because FTP over SSH is still basically over port 22 and the traffic is encrypted the same as regular SSH.

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

View All ≫
Upcoming Events

    CheckMates Events