Create a Post
cancel
Showing results for 
Search instead for 
Did you mean: 
Gongya_Yu
Collaborator
Jump to solution

When does CPEarlyDrop occur with ACCPET action ?

When does CPEarlyDrop occur with ACCPET action ?

thanks !!

0 Kudos
1 Solution

Accepted Solutions
Bob_Zimmerman
Authority
Authority

This message means the firewall isn't the problem. It allowed the SYN, but the connection was closed for some other reason before the firewall could see the website or application being attempted.

This is almost always because the server didn't respond with a SYN-ACK.

View solution in original post

(1)
9 Replies
emmap
Employee
Employee

I'm not aware of any situation that we should 'early accept' a connection - are you seeing accept logs that mention CPEarlyDrop?

Gongya_Yu
Collaborator

See the following:
      I might misinterpret it. but it is similar to CPEarly something, right ? 

CPEarlyDrop.PNG

0 Kudos
Gongya_Yu
Collaborator

Does this log say the traffic passing or not passing ?

0 Kudos
the_rock
Legend
Legend

All that tells you in short is that its not really Check Point issue, its being allowed, but for some reason not fully completed. 

0 Kudos
the_rock
Legend
Legend

What @Bob_Zimmerman said is PERFECT explanation, 100% the case.

Andy

0 Kudos
Bob_Zimmerman
Authority
Authority

This message means the firewall isn't the problem. It allowed the SYN, but the connection was closed for some other reason before the firewall could see the website or application being attempted.

This is almost always because the server didn't respond with a SYN-ACK.

(1)
Bob_Zimmerman
Authority
Authority

I did just think of a few ways the firewall could be to blame.

  1. If this connection depends on NAT (e.g, an internal client with a private address connecting out to a public website) and the firewall is not configured to NAT the traffic, that would manifest as drops like this. The SYN is allowed and sent out with a private source, which the telco's routers drop, so the SYN-ACK never gets back to the firewall.
  2. If the destination route is misconfigured leading to a routing loop between two other devices, the traffic would be lost, leading to no SYN-ACK from the server. I say a routing loop between other devices because if the firewall were involved in a routing loop, it produces a distinctive accept, drop, accept, drop pattern in the logs.

And at least one other way these messages may not indicate a problem at all:

  1. If the source is doing some kind of health check (e.g, a load balancer or a monitoring server checking the status of a service), that might only open a TCP connection then close it immediately. This typically isn't a good health check, but it's very common. Such a connection won't contain enough information for the firewall to determine what website or application is in use, so you will get this message.
the_rock
Legend
Legend

All valid points, for sure.

0 Kudos
Gongya_Yu
Collaborator

thanks to all !!

0 Kudos

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

Upcoming Events

    CheckMates Events