Create a Post
cancel
Showing results for 
Search instead for 
Did you mean: 
ED
Advisor

Inspection settings TCP related

Hi everyone,

R80.30 environment. Firewall is set to drop out of state TCP packets. 

I see a lot of logs for TCP related packets. For these:

Manage & settings -> Blades -> General -> Inspection settings -> filter for tcp

 
 

image.png

 

 

 

 

 

 

 

Like these logs:

Name: Streaming Engine: TCP Invalid Checksum

Information: Invalid checksum. Packet dropped.

---------------------------------------------------------------------------------------------------------

Name: Streaming Engine: TCP Segment Limit Enforcement

Information: TCP segment out of maximum allowed sequence. Packet dropped.

 

---------------------------------------------------------------------------------------------------------

 

Name: Streaming Engine: TCP Invalid Retransmission

Information: Invalid segment retransmission. Packet dropped.

 

---------------------------------------------------------------------------------------------------------

 

Name: Streaming Engine: TCP anomaly detected

Information: Non-compliant TCP packets coming from multiple external sources were detected. This may result from potential network configuration problem

--------------------------------------------------------------------------------------------------------------

 

Could someone care to explain me what the underlying problem might be here overall? What to troubleshoot? 

 

 

0 Kudos
2 Replies
PhoneBoy
Admin
Admin

I believe most of these checks fall into the "enforcing RFC compliance" bucket.
These are usually application-specific errors.
0 Kudos
Lari_Luoma
Employee
Employee

Out of state TCP packets are usually result of asymmetric routing or timed out connections.

TCP-settings that you asked about are part of Inspection Settings component in R80.x. Some of those were IPS protections in previous versions.

Inspection Settings are preset configuration settings impacting lower levels of NGTP enforcement engine (streaming engine) and are enforced independently of the Threat Prevention Software Blades. Many of these protections are "well-known" like Non-compliant HTTP or DNS. They are are also mostly RFC compliance checks. Changing the default values might impact performance and the security enforcement of your gateway. 

Before changing these in production, make sure you really know what you are doing that you won't cause any issues in your network!

As Phoneboy mentioned if you see a lot of drops/logs based on inspection settings, most likely culprit is the application. Some applications might not follow the RFC causing your gateway to drop this traffic. If you know that this is a known behavior for certain application and you trust that the traffic is benign, you can change the value to accept.

There is a dedicated profile for inspection settings that is assigned per gateway installed together with the access control policy. I would take the default profile, clone it and then change values for only protections you are sure of not causing any issues.

 

EDIT: You actually cannot clone an inspection settings profile, but just create a new profile (with default settings) that you can modify.

0 Kudos