Create a Post
cancel
Showing results for 
Search instead for 
Did you mean: 
Leandro_Nicolet
Contributor

Disabling 'out of state' checks between certain hosts

 I've read that it's possible to disabled 'out of state' check between subnets and certain hosts using the use.def.X using something like the example below.

I'm ok with the version of the user.def file I should be using, but my challenge is I have 5 source ip's of which any could be used to communicate with 10 destination ip's. Not sure how to reflect that in the example below.

Any ideas ?

/* Start of INSPECT modification - sk11088 */deffunc user_accept_non_syn() { ((dst = x.x.x.x) and (src = y.y.y.y)) or ((dst = y.y.y.y) and (src = x.x.x.x)) };/* End of INSPECT modification */
21 Replies
G_W_Albrecht
Legend
Legend

I would rather ask myself why TCP is out of state - this is not a healthy status afaik!

Benjamin_Carrie
Collaborator

It is a pain but in my experience you have to write all the possible combinations ... In your case that is 50 different tuples.

As Gunther said it might be might be better to look into why there are TCP packets out of state, usually it is asymmetric routing but I've seen before very old applications causing this issue (it seemed to be mainly legacy applications directly querying SQL servers).

0 Kudos
Leandro_Nicolet
Contributor

Agreed, that is something that is being looked into, but an example of how it might look would be useful.

0 Kudos
Timothy_Hall
Champion
Champion

In my experience, whether you need to do anything about "TCP out of state" messages depends on the specific TCP flags being reported in the log entry, please see my post here:

https://community.checkpoint.com/message/9300-re-first-packet-isnt-sync?commentID=9300#comment-9300 

--
Second Edition of my "Max Power" Firewall Book
Now Available at http://www.maxpowerfirewalls.com

"Max Capture: Know Your Packets" Video Series
now available at http://www.maxpowerfirewalls.com
0 Kudos
PhoneBoy
Admin
Admin

While I agree with the other comments, you may be able to also do something like the following (if I remember INSPECT correctly): 

deffunc user_accept_non_syn() { (dst in { a.b.c.d , e.f.g.h }, src in { i.j.k.l, m.n.o.p }) };
Leandro_Nicolet
Contributor

Would something like this work or can you only use the 'deffunc' statement once on one line ?

(ip's changed) where 172 is the source communicating with multiple 192's ?

/* Start of INSPECT modification - sk11088 */
deffunc user_accept_non_syn() { (((dst = 192.168.1.1) and (src = 172.16.1.1)) or ((dst = 192.168.1.1) and (src = 172.16.1.1))) and (dport = 1521) };
deffunc user_accept_non_syn() { (((dst = 192.168.1.2) and (src = 172.16.1.1)) or ((dst = 192.168.1.2) and (src = 172.16.1.1))) and (dport = 1521) };
deffunc user_accept_non_syn() { (((dst = 192.168.1.3) and (src = 172.16.1.1)) or ((dst = 192.168.1.3) and (src = 172.16.1.1))) and (dport = 1521) };
deffunc user_accept_non_syn() { (((dst = 192.168.1.4) and (src = 172.16.1.1)) or ((dst = 192.168.1.4) and (src = 172.16.1.1))) and (dport = 1521) };
/* End of INSPECT modification */

#endif /* ifndef __user_def__ */

0 Kudos
PhoneBoy
Admin
Admin

No because you’re defining the function 4 times.

In my example, I showed you how you can define a list of source IPs and Destination IPs to compare.

You could theoretically add a port to it also. 

Note the comma is treated as an AND.

0 Kudos
Leandro_Nicolet
Contributor

Thanks, got it so one line defining both source & destination ip's and that would ignore 'out of state' for any of the ip's in the source/dest below ?

deffunc user_accept_non_syn() { (dst in { 192.168.1.2 , 192.168.1.3, 192.168.1.4, 192.168.1.5,etc... }, src in { 172.16.1.1, 172.16.1.2, 172.16.1.3, 172.16.1.4, 172.16.15  }) };

0 Kudos
PhoneBoy
Admin
Admin

That looks correct.

That said, my INSPECT knowledge is a little rusty Smiley Happy

0 Kudos
Vladimir
Champion
Champion

Or:

0 Kudos
Leandro_Nicolet
Contributor

I tried this initially and it didn't work.

0 Kudos
Vladimir
Champion
Champion

Huh... Dameon Welch-Abernathy‌, can you forward it to the R&D to take a look at.

0 Kudos
Leandro_Nicolet
Contributor

We are on R80.10 Management (take 154). The gateway I'm working with is a VS on R77.30 

0 Kudos
Vladimir
Champion
Champion

Perhaps it is a factor, but I am not aware of this limitation.

0 Kudos
Leandro_Nicolet
Contributor

I assumed it was a different check as 'out of state' checks can be turned off in global properties, but that's obviously global and not something I want to do globally.

0 Kudos
Vladimir
Champion
Champion

Yeah, you can only narrow the global setting to a particular gateway, not the pair of hosts.

0 Kudos
PhoneBoy
Admin
Admin

Not sure those exceptions are effective on pre-R80 gateways.

0 Kudos
S_E_
Advisor

Hi,

it is a little bit confusing for me. 

To exclude a network from out of state' checks, is the recommended approach via user.def file or via SmartConsole exception settings? Changing the file is not visible in SmartConsole and vice versa.

sk11088 points to user.def

What is the correct approach assuming R80.40 environment?

Thanks

Best Regards

 

 

0 Kudos
Timothy_Hall
Champion
Champion

Partially disabling out of state checks is located under Global Properties...Stateful Inspection...Drop out of state TCP packets...Exceptions, but that only allows you to disable out of state checks for an entire gateway, not for individual networks.  Or are you referring to somewhere else in the SmartConsole such as Inspection Settings...Exceptions?

The only way I know of to disable out of state checks for specific networks/addresses is the user.def method.

"Max Capture: Know Your Packets" Video Series
now available at http://www.maxpowerfirewalls.com
0 Kudos
S_E_
Advisor

Hi,

thanks for confirmation.

So user.def is the way to go for dedicated networks.

Thanks

Regards

0 Kudos
Thomas_Eichelbu
Collaborator

Hello,

i have a nice example here:
exlclude all TCP out of State between three LAN segments ... 

/* Start of INSPECT modification - sk11088 - */
troublenet1={ <10.1.1.0, 10.1.1.255> };
troublenet2={ <10.2.1.0, 10.2.1.255> };
troublenet3={ <10.3.1.0, 10.3.1.255> };
deffunc user_accept_non_syn() {\
((src in troublenet1) and (dst in troublenet2)) or \
((src in troublenet1) and (dst in troublenet3)) or \
((src in troublenet2) and (dst in troublenet1)) or \
((src in troublenet2) and (dst in troublenet3)) or \
((src in troublenet3) and (dst in troublenet1)) or \
((src in troublenet3) and (dst in troublenet2)) };

/* End of INSPECT modification */

#endif /* ifndef IPV6_FLAVOR */
#endif /* __user_def__ */




0 Kudos