This website uses Cookies. Click Accept to agree to our website's cookie use as described in our Privacy Policy. Click Preferences to customize your cookie settings.
Accept
Reject
Preferences
ABOUT CHECKMATES CYBER SECURITY COMMUNITY & FAQ
Create a Post
Help
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

Are you a member of CheckMates?

×
Sign in with your Check Point UserCenter/PartnerMap account to access more great content and get a chance to win some Apple AirPods! If you don't have an account, create one now for free!
Albin_Petersson
Contributor
‎2019-12-17 01:57 AM

Clarification about connection persistence and SK115871

Helloes.

 

We have Rematch connections set in the options for Connection Persistence, on our gateway.

Snag_17310afe.png

 

 

 

 

 

 

 

 

 

We figured it would remove the "additional engines" alerts in the logs, but it hasn't really made any difference.

Snag_173128d7.png

 

 

When i read SK115871 it speaks of an additional option you can set in the firewalls, but could i get some clarification on what it actually means if it's turned off?

"Drop connection that were opened prior to policy installation and new policy can't be applied to them due to engines activated on the connection"

Would old connections be instantly dropped and unable to be renegotiated?

The bigger question would be why we still see so many alerts in the logs? it's been a while since we altered the setting for connection persistence and we figured they would ebb out.

0 Kudos
4 Replies
_Val_
Admin
Admin
‎2019-12-17 04:35 AM

The SK article in question is related to a situation when you have advanced software blades: AC/URLf, AVI, Ani-Bot, Threat Emulation/Extraction, Content Awareness - enabled in your security policy.

 

Connection persistence filed is related to the classic FW security policy, where decision is simple, and the question is - what to do with the connections in progress that are no longer allowed by the new security policy. If you re-match, then connections that are now disallowed, will be dropped.

 

Now, let's say, you are moving from basic filtering to AC & Content awareness. Both SBs require streaming. For ongoing connections that you allow through connection persistence feature, streaming will fail, hence the log alert. 

The logic here is simple. Since building the full stream for ongoing connections is impossible, you can either accept them through the new policy (and alert about it), or drop, with up_rematch_accept_possible_action parameter mentioned in SK.

If you decide to drop, you are risking to break legitimate connections where stream is unavailable. 

0 Kudos
Benedikt_Weissl
Advisor
‎2019-12-17 04:41 AM

You are using AppControl/URL Filtering, right? AppControl works by scanning the first bytes of each new connection (SNI, HTTP-Header, etc) to detect the Application. Once you apply a new rulebase AppControl has to match old established connections to the new rules, but since the connection is already established its impossible to scan for certain markers e.g. the SNI Field. This is where the kernel parameter value "int up_rematch_accept_possible_action" comes in.


The SK says:

... "New" policy installation will trigger the rule base execution on the next packet, that will now require ‘Application Control' engine inspection on this connection in order to reach a final decision. This cannot be done for connections that are already open. The final action will be determined by the value of kernel parameter "up_rematch_accept_possible_action". Default value is "1", therefore the connection will be accepted."...

> Would old connections be instantly dropped and unable to be renegotiated?

Old connections would be dropped if you set int up_rematch_accept_possible_action to 0 and the firewall is unable to match them to a rule. I don't know what you mean by "renegotiated", but new connections should work provided they are allowed by the new rulebase.

> The bigger question would be why we still see so many alerts in the logs? it's been a while since we altered the setting for connection persistence and we figured they would ebb out.

You will see this alert for some time after a new policy has been installed because the gateway is trying to rematch old connections to a new rulebase.

0 Kudos
Albin_Petersson
Contributor
‎2019-12-17 05:47 AM
In response to Benedikt_Weissl

ok, then I understand better what it does.

Yes, we have AppControl/URLF. We actually have 2 near-identical rules, one where we would like to identify certain things with AppControl/URLF and one where we let through the rest with any as service.

 

with renegotiated I meant that the application would re-establish the session if it died. 

 

we've had this setting for at least 3 months and still see this error, so i don't feel like there should be any old connections left. But we can think about changing the fw parameter then. 

oddly enough this alert shows up a lot for normal microsoft-ds traffic. 

0 Kudos
_Val_
Admin
Admin
‎2019-12-17 05:54 AM
In response to Albin_Petersson

"Old connections" here means those which were crossing through FW before the last policy was installed. 

0 Kudos

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

View All ≫
Upcoming Events

    Sort by:
    CheckMates Events