This website uses Cookies. Click Accept to agree to our website's cookie use as described in our Privacy Policy. Click Preferences to customize your cookie settings.
Accept
Reject
Preferences
ABOUT CHECKMATES CYBER SECURITY COMMUNITY & FAQ
Create a Post
Help
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

Are you a member of CheckMates?

×
Sign in with your Check Point UserCenter/PartnerMap account to access more great content and get a chance to win some Apple AirPods! If you don't have an account, create one now for free!
ZaferGr
Participant
Participant
‎2024-05-15 11:55 PM
Jump to solution

first 8KB data are passing gateway

When Firewall are starting traffic with random port without access rule, we saw 3 way handshake and 8KB data are passing gateway. after 8kb traffic , check point gateway are blocking.

0 Kudos
1 Solution

Accepted Solutions
_Val_
Admin
Admin
‎2024-05-16 04:48 AM
In response to ZaferGr
Jump to solution

I am still trying to understand the original statement. You said, according to wireshark, 8kb of traffic passed. Where did you run the whireshark? Client side, server side, FW itself? There is not enough info to answer your question properly.

All I can say at this point, the traffic passed seems to be related to HTTPSi validation of the application to block. 

Other than TLS handshake (not TCP handshake which is part of communication, but should not be as big as 8K), no actual data should pass. TLS handshake only includes certificate validation and authentication.

View solution in original post

(1)
6 Replies
_Val_
Admin
Admin
‎2024-05-16 12:17 AM
Jump to solution

Product version, setup and policy details, protocot type?

0 Kudos
ZaferGr
Participant
Participant
‎2024-05-16 03:12 AM
In response to _Val_
Jump to solution

Hello Val,

 

That is a appliance on R81.10

And problem happened over app&url blade. 

For example, at the bottom you have the drop rule for Facebook. Above this rule there is http or https permission. Even if the firewall is dropped, when viewed with Wishark, the 8kb packet is seen to have passed. and this package may contain Iban information.

0 Kudos
_Val_
Admin
Admin
‎2024-05-16 03:21 AM
In response to ZaferGr
Jump to solution

IBAN on facebook? Are you serious?

Where do you do traces? On the client, or on the FW?

Also, you do realize that to discover an application with HTTPS Inspection in place, you do need to complete the TLS handshake, right?

0 Kudos
ZaferGr
Participant
Participant
‎2024-05-16 04:08 AM
In response to _Val_
Jump to solution

Just an example 😄 of course didn't on facebook. 

Yes TLS handshake was completed. But you can focus on why checkpoint passing first 8 kb packet.

It looks like a workflow of firewall. Maybe reason is related with Protocol signature. Do you have any idea? 

 

 
0 Kudos
_Val_
Admin
Admin
‎2024-05-16 04:48 AM
In response to ZaferGr
Jump to solution

I am still trying to understand the original statement. You said, according to wireshark, 8kb of traffic passed. Where did you run the whireshark? Client side, server side, FW itself? There is not enough info to answer your question properly.

All I can say at this point, the traffic passed seems to be related to HTTPSi validation of the application to block. 

Other than TLS handshake (not TCP handshake which is part of communication, but should not be as big as 8K), no actual data should pass. TLS handshake only includes certificate validation and authentication.

(1)
ZaferGr
Participant
Participant
‎2024-05-16 05:19 AM
In response to _Val_
Jump to solution

Thanks for answers Val 🙂 

Your last said include an answer for help me. 

 

0 Kudos

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

View All ≫
Upcoming Events

    CheckMates Events