This website uses Cookies. Click Accept to agree to our website's cookie use as described in our Privacy Policy. Click Preferences to customize your cookie settings.
Accept
Reject
Preferences
ABOUT CHECKMATES CYBER SECURITY COMMUNITY & FAQ
Create a Post
Help
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

Are you a member of CheckMates?

×
Sign in with your Check Point UserCenter/PartnerMap account to access more great content and get a chance to win some Apple AirPods! If you don't have an account, create one now for free!
Gil_Lim
Explorer
‎2025-01-29 02:48 PM

Firewall Logs analysis.

Hi All,

I would like to confirm that follow traffic is the same TCP session.

The traffic is dropped because the connection table is not synced (Blades 1 to 6) SYN-ACK packet received on member Id 2-4

 

the first traffic Accepted on PRT-VS1-TRUST-EXT as below;

Src: nsh-sci-02 (10.100.229.52) s_port: 65253 dst: 10.136.96.24 d_port:20001 -25 Jan 25, 3:53:29 a.m.

vs1.png

the traffic Accepted  next FW PRT-VS2-TRUST-InT-IAAS as below;

Src: nsh-sci-02 (10.100.229.52) s_port: 65253 dst: 10.136.96.24 d_port:20001 on Member Id: 2_ 2 -25 Jan 25, 3:53:29 a.m.

vs1-accept.png

then traffic dropped on PRT-VS2-TRUST-InT-IAAS, Member Id 2_4 was dropped packet at 25 Jan 25, 3:56:42 a.m.

vs2-dropped.png

due to 3 minutes time differece Accect(25 Jan 25, 3:53:29 a.m.) and drop(25 Jan 25, 3:56:42 a.m.), someone advised that it might not be the same TCP session.

Are there any ways to confirm that this is the same TCP connection establishment travering different firewalls ?

marker.png

 

 

 

0 Kudos
6 Replies
PhoneBoy
Admin
Admin
‎2025-01-29 07:33 PM

Likely will require tcpdumps on both gateways to correlate the packets.

0 Kudos
Amir_Senn
Employee
Employee
‎2025-01-30 08:50 AM

I suggest you enable "Per Session" on relevant rule.

Capture.PNG

 

This will create a session log for every session and you can see all relevant connection logs related by either:

a. Selecting the session log in logs view and select "Connections" in the lower pane.

b. By clicking on the session button on the connection log itself:

Capture2.PNG

Kind regards, Amir Senn
(1)
the_rock
Legend
Legend
‎2025-01-30 11:26 AM
In response to Amir_Senn

Excellent advice...I always keep forgetting about it, but it definitely helps.

Andy

0 Kudos
Lesley
Mentor Mentor
Mentor
‎2025-01-30 11:22 AM

The only way to be sure is indeed packet captures. Open them in Wireshark and analyse from their. 

But if I see the logs it looks indeed the same traffic. Only time is a bit weird. Maybe some log delay?

-------
If you like this post please give a thumbs up(kudo)! 🙂
0 Kudos
Timothy_Hall
Legend Legend
Legend
‎2025-01-30 11:57 AM

With a packet capture, yes you could establish if that was the same packet but on different firewalls.  For a TCP-oriented connection the sequence and ACK numbers would match; you could also confirm by seeing if the IP ID header field is the same.  For non-TCP connections all you have to look at is the IP ID and maybe some checksums to see if they are identical.

Attend my online "Be your Own TAC: Part Deux" CheckMates event
March 27th with sessions for both the EMEA and Americas time zones
0 Kudos
the_rock
Legend
Legend
‎2025-01-30 01:05 PM

To help out with the captures, here is great site my colleague built over the years.

Andy

https://tcpdump101.com/#

0 Kudos

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

View All ≫
Upcoming Events

    CheckMates Events