This website uses Cookies. Click Accept to agree to our website's cookie use as described in our Privacy Policy. Click Preferences to customize your cookie settings.
Accept
Reject
Preferences
ABOUT CHECKMATES CYBER SECURITY COMMUNITY & FAQ
Create a Post
Help
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

Are you a member of CheckMates?

×
Sign in with your Check Point UserCenter/PartnerMap account to access more great content and get a chance to win some Apple AirPods! If you don't have an account, create one now for free!
Tobias_Moritz
Advisor
‎2019-11-07 06:16 AM

TCP start timeout per gateway / service - override global properies

Hello community,

there are various timeouts set for the firewall state machine in global properties of the management domain.

TCP start
TCP session
TCP end
UDP virtual session
ICMP virtual session
Other IP virtual session
SCTP start
SCTP session
SCTP end

I know that we can override the session timeouts for TCP, UDP, ICMP, other IP and SCTP by modifying the advanced properties of the service object used in the relevant firewall rule.

I have a specific usecase, where I want to override the TCP start timeout, without changing it for all gateways in this management domain. Override per gateway would be nice, override per service object even better.

As far as I know, this is not possible. Am I right with that? Does anyone know a way to do so?

R80.30 T200 Jumbo HFA T50

Thank you for your thoughts!

0 Kudos
5 Replies
PhoneBoy
Admin
Admin
‎2019-11-08 12:33 PM

Pretty sure you’re correct this is a per SMS/CMA setting
0 Kudos
Timothy_Hall
MVP Gold
MVP Gold
‎2019-11-10 05:26 AM

Actually it is possible to locally override the TCP start and end timeouts out on the gateway with the following kernel variables:

tcp_local_start_timeout

tcp_local_end_timeout

These are mentioned here:

https://supportcenter.checkpoint.com/supportcenter/portal?eventSubmit_doGoviewsolutiondetails=&solut...

There is very little documentation for these variables outside of the fact that they exist.  The default value of both variables is 0, which I assume means that these values are inherited from the corresponding Stateful Inspection settings that are part of the SMS/Domain/CMA.  I would also assume that setting these to a nonzero value overrides that, and that the units to use with these variables is seconds.  I suppose it could be milliseconds though, so I would strongly advise getting this clarified with TAC or trying it in a lab first before tampering with these variables on a production firewall.  If the units do happen to be milliseconds, setting these variables to 1 would probably cause a major outage.

There does not seem to be a way to locally override the start and end timeout variables for individual service objects that I can see.

 

Gaia 4.18 (R82) Immersion Tips, Tricks, & Best Practices Video Course
Now Available at https://shadowpeak.com/gaia4-18-immersion-course
Tobias_Moritz
Advisor
‎2019-11-11 12:19 AM
In response to Timothy_Hall

Thank you, Tim!

I will ask TAC referring to this sk and share the answer here later.

0 Kudos
Tobias_Moritz
Advisor
‎2019-11-19 04:27 AM
In response to Timothy_Hall

I got the confirmation from TAC.

Quote:

These values are in seconds and you need to change it for all the gateway individually.
Note : Please change the values in lean hours.

Tobias_Moritz
Advisor
‎2019-11-28 08:45 AM
In response to Timothy_Hall

Maybe you guys know it, but TAC missed to tell us and sk33285 (and sk26202) also don't drop a hint, so I want to share this:

Changing this kernel parameter requires an access policy install on this gateway to take effect.

0 Kudos

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

View All ≫
Upcoming Events

    CheckMates Events