cancel
Showing results for 
Search instead for 
Did you mean: 
Post a Question

Packets get drop

Jump to solution

what is the reason for happen this ?

;[cpu_2];[fw4_1];fw_log_drop_ex: Packet proto=6 x.x.x.x:30730 -> 10.2.200.50:80 dropped by fw_first_packet_state_checks Reason: First packet isn't SYN;
;[cpu_1];[fw4_2];fw_log_drop_ex: Packet proto=6 x.x.x.x:30731 -> 10.2.200.50:80 dropped by fw_first_packet_state_checks Reason: First packet isn't SYN;
;[cpu_1];[fw4_2];fw_log_drop_ex: Packet proto=6 y.y.y.y:37020 -> 10.2.200.50:80 dropped by fw_first_packet_state_checks Reason: First packet isn't SYN;
;[cpu_3];[fw4_0];fw_log_drop_ex: Packet proto=6 y.y.y.y:37021 -> 10.2.200.50:80 dropped by fw_first_packet_state_checks Reason: First packet isn't SYN;

1 Solution

Accepted Solutions

Re: Packets get drop

Jump to solution

Stateful Inspection checks.

It means the first packet of a TCP session (proto=6) traversing the firewall isn't the syncronization packet (first of the three way handshake of TCP) so because of this, the firewall drops the packet.

By default, Check Point Firewall is configured to drop out of state TCP Packets (Global Properties -> Stateful Inspection->Drop Out of state TCP Packets is checked)

You can completely disable the TCP out of state drops:

  1. By unchecking the option on Stateful Inspection and installing policy
  2. By adding an exception to Drop out of state TCP on Stateful Inspection and selecting the Firewall (also requires install policy).
  3. Executing the following command on the gateway in expert mode to disable on the fly: "fw ctl set int fw_allow_out_of_state_tcp 1" (Does not survive a reboot) .

You can follow this sk as workaround for allowing out of state packets to some traffic only: SmartView Tracker shows multiple logs for dropped 'TCP out of state' packets with various ... 

Regards

9 Replies

Re: Packets get drop

Jump to solution

Stateful Inspection checks.

It means the first packet of a TCP session (proto=6) traversing the firewall isn't the syncronization packet (first of the three way handshake of TCP) so because of this, the firewall drops the packet.

By default, Check Point Firewall is configured to drop out of state TCP Packets (Global Properties -> Stateful Inspection->Drop Out of state TCP Packets is checked)

You can completely disable the TCP out of state drops:

  1. By unchecking the option on Stateful Inspection and installing policy
  2. By adding an exception to Drop out of state TCP on Stateful Inspection and selecting the Firewall (also requires install policy).
  3. Executing the following command on the gateway in expert mode to disable on the fly: "fw ctl set int fw_allow_out_of_state_tcp 1" (Does not survive a reboot) .

You can follow this sk as workaround for allowing out of state packets to some traffic only: SmartView Tracker shows multiple logs for dropped 'TCP out of state' packets with various ... 

Regards

Re: Packets get drop

Jump to solution

Thank you for your explanation 

0 Kudos
Sven_Glock
Silver

Re: Packets get drop

Jump to solution

Is it possible that "2." is not supported for vsx in R80.10?

0 Kudos
Admin
Admin

Re: Packets get drop

Jump to solution

Not as far as I know.

What makes you think it isn't?

0 Kudos
Sven_Glock
Silver

Re: Packets get drop

Jump to solution

I tried it in an environment where only virtual systems are available.

Here I am not able to select a gateway when adding a new gateway to TCP Out of state exceptions...

0 Kudos
Admin
Admin

Re: Packets get drop

Jump to solution

Oh, you're talking about exceptions, which, true, might not be supported on a VS. 

0 Kudos
Sven_Glock
Silver

Re: Packets get drop

Jump to solution

Good to know, thanks Dameon!

Is there an other way to disable stateful inspection on a single virtual system?

1. would impact other policies and 3. seems not to work with virtual systems, too.

Admin
Admin

Re: Packets get drop

Jump to solution

You'll need to contact the TAC to see if you can get a hotfix for the following: Option to allow out of state packets per VS 

Sven_Glock
Silver

Re: Packets get drop

Jump to solution

Hey Dameon,

thanks for this advice.

I will check this out and keep you posted.

Thanks

Sven

0 Kudos