This website uses cookies. By clicking Accept, you consent to the use of cookies. Click Here to learn more about how we use cookies.
Accept
Reject
ABOUT CHECKMATES & FAQ
Create a Post
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Help

Are you a member of CheckMates?

×
Sign in with your Check Point UserCenter/PartnerMap account to access more great content and get a chance to win some Apple AirPods! If you don't have an account, create one now for free!
Leandro_Nicolet
Contributor
‎2018-12-14 12:55 AM

Disabling 'out of state' checks between certain hosts

 I've read that it's possible to disabled 'out of state' check between subnets and certain hosts using the use.def.X using something like the example below.

I'm ok with the version of the user.def file I should be using, but my challenge is I have 5 source ip's of which any could be used to communicate with 10 destination ip's. Not sure how to reflect that in the example below.

Any ideas ?

/* Start of INSPECT modification - sk11088 */deffunc user_accept_non_syn() { ((dst = x.x.x.x) and (src = y.y.y.y)) or ((dst = y.y.y.y) and (src = x.x.x.x)) };/* End of INSPECT modification */
21 Replies
G_W_Albrecht
Legend
Legend
‎2018-12-14 01:04 AM

I would rather ask myself why TCP is out of state - this is not a healthy status afaik!

CCSE CCTE SMB Specialist
18568
Collaborator
‎2018-12-14 02:49 AM

It is a pain but in my experience you have to write all the possible combinations ... In your case that is 50 different tuples.

As Gunther said it might be might be better to look into why there are TCP packets out of state, usually it is asymmetric routing but I've seen before very old applications causing this issue (it seemed to be mainly legacy applications directly querying SQL servers).

0 Kudos
Leandro_Nicolet
Contributor
‎2018-12-14 03:32 AM

Agreed, that is something that is being looked into, but an example of how it might look would be useful.

0 Kudos
Timothy_Hall
Champion
Champion
‎2018-12-14 05:14 AM
In response to Leandro_Nicolet

In my experience, whether you need to do anything about "TCP out of state" messages depends on the specific TCP flags being reported in the log entry, please see my post here:

https://community.checkpoint.com/message/9300-re-first-packet-isnt-sync?commentID=9300#comment-9300 

--
Second Edition of my "Max Power" Firewall Book
Now Available at http://www.maxpowerfirewalls.com

New 2021 IPS/AV/ABOT Immersion Self-Guided Video Series
now available at http://www.maxpowerfirewalls.com
0 Kudos
PhoneBoy
Admin
Admin
‎2018-12-14 06:08 AM

While I agree with the other comments, you may be able to also do something like the following (if I remember INSPECT correctly): 

deffunc user_accept_non_syn() { (dst in { a.b.c.d , e.f.g.h }, src in { i.j.k.l, m.n.o.p }) };
Leandro_Nicolet
Contributor
‎2018-12-14 06:16 AM
In response to PhoneBoy

Would something like this work or can you only use the 'deffunc' statement once on one line ?

(ip's changed) where 172 is the source communicating with multiple 192's ?

/* Start of INSPECT modification - sk11088 */
deffunc user_accept_non_syn() { (((dst = 192.168.1.1) and (src = 172.16.1.1)) or ((dst = 192.168.1.1) and (src = 172.16.1.1))) and (dport = 1521) };
deffunc user_accept_non_syn() { (((dst = 192.168.1.2) and (src = 172.16.1.1)) or ((dst = 192.168.1.2) and (src = 172.16.1.1))) and (dport = 1521) };
deffunc user_accept_non_syn() { (((dst = 192.168.1.3) and (src = 172.16.1.1)) or ((dst = 192.168.1.3) and (src = 172.16.1.1))) and (dport = 1521) };
deffunc user_accept_non_syn() { (((dst = 192.168.1.4) and (src = 172.16.1.1)) or ((dst = 192.168.1.4) and (src = 172.16.1.1))) and (dport = 1521) };
/* End of INSPECT modification */

#endif /* ifndef __user_def__ */

0 Kudos
PhoneBoy
Admin
Admin
‎2018-12-14 06:28 AM
In response to Leandro_Nicolet

No because you’re defining the function 4 times.

In my example, I showed you how you can define a list of source IPs and Destination IPs to compare.

You could theoretically add a port to it also. 

Note the comma is treated as an AND.

0 Kudos
Leandro_Nicolet
Contributor
‎2018-12-14 06:40 AM
In response to PhoneBoy

Thanks, got it so one line defining both source & destination ip's and that would ignore 'out of state' for any of the ip's in the source/dest below ?

deffunc user_accept_non_syn() { (dst in { 192.168.1.2 , 192.168.1.3, 192.168.1.4, 192.168.1.5,etc... }, src in { 172.16.1.1, 172.16.1.2, 172.16.1.3, 172.16.1.4, 172.16.15  }) };

0 Kudos
PhoneBoy
Admin
Admin
‎2018-12-14 08:34 AM
In response to Leandro_Nicolet

That looks correct.

That said, my INSPECT knowledge is a little rusty Smiley Happy

0 Kudos
Vladimir
Champion
Champion
‎2018-12-14 07:03 AM

Or:

0 Kudos
Leandro_Nicolet
Contributor
‎2018-12-14 07:06 AM
In response to Vladimir

I tried this initially and it didn't work.

0 Kudos
Vladimir
Champion
Champion
‎2018-12-14 07:13 AM
In response to Leandro_Nicolet

Huh... Dameon Welch-Abernathy‌, can you forward it to the R&D to take a look at.

0 Kudos
Leandro_Nicolet
Contributor
‎2018-12-14 07:18 AM
In response to Vladimir

We are on R80.10 Management (take 154). The gateway I'm working with is a VS on R77.30 

0 Kudos
Vladimir
Champion
Champion
‎2018-12-14 07:21 AM
In response to Leandro_Nicolet

Perhaps it is a factor, but I am not aware of this limitation.

0 Kudos
Leandro_Nicolet
Contributor
‎2018-12-14 07:27 AM
In response to Vladimir

I assumed it was a different check as 'out of state' checks can be turned off in global properties, but that's obviously global and not something I want to do globally.

0 Kudos
Vladimir
Champion
Champion
‎2018-12-14 07:30 AM
In response to Leandro_Nicolet

Yeah, you can only narrow the global setting to a particular gateway, not the pair of hosts.

0 Kudos
PhoneBoy
Admin
Admin
‎2018-12-14 08:36 AM
In response to Vladimir

Not sure those exceptions are effective on pre-R80 gateways.

0 Kudos
S_E_
Advisor
‎2021-05-20 01:17 AM
In response to PhoneBoy

Hi,

it is a little bit confusing for me. 

To exclude a network from out of state' checks, is the recommended approach via user.def file or via SmartConsole exception settings? Changing the file is not visible in SmartConsole and vice versa.

sk11088 points to user.def

What is the correct approach assuming R80.40 environment?

Thanks

Best Regards

 

 

0 Kudos
Timothy_Hall
Champion
Champion
‎2021-05-20 12:13 PM
In response to S_E_

Partially disabling out of state checks is located under Global Properties...Stateful Inspection...Drop out of state TCP packets...Exceptions, but that only allows you to disable out of state checks for an entire gateway, not for individual networks.  Or are you referring to somewhere else in the SmartConsole such as Inspection Settings...Exceptions?

The only way I know of to disable out of state checks for specific networks/addresses is the user.def method.

New 2021 IPS/AV/ABOT Immersion Self-Guided Video Series
now available at http://www.maxpowerfirewalls.com
0 Kudos
S_E_
Advisor
‎2021-05-25 11:13 PM
In response to Timothy_Hall

Hi,

thanks for confirmation.

So user.def is the way to go for dedicated networks.

Thanks

Regards

0 Kudos
Thomas_Eichelbu
Advisor
‎2021-06-01 11:16 PM

Hello,

i have a nice example here:
exlclude all TCP out of State between three LAN segments ... 

/* Start of INSPECT modification - sk11088 - */
troublenet1={ <10.1.1.0, 10.1.1.255> };
troublenet2={ <10.2.1.0, 10.2.1.255> };
troublenet3={ <10.3.1.0, 10.3.1.255> };
deffunc user_accept_non_syn() {\
((src in troublenet1) and (dst in troublenet2)) or \
((src in troublenet1) and (dst in troublenet3)) or \
((src in troublenet2) and (dst in troublenet1)) or \
((src in troublenet2) and (dst in troublenet3)) or \
((src in troublenet3) and (dst in troublenet1)) or \
((src in troublenet3) and (dst in troublenet2)) };

/* End of INSPECT modification */

#endif /* ifndef IPV6_FLAVOR */
#endif /* __user_def__ */




0 Kudos