Announcing General Availability
for Harmony Connect Windows App
CheckMates Go:
Schrödinger’s Patch
End of Support Policy Update
For R80.10 Release
Hi mates,
have another question about healthcheck result.
+-----------------------+-------------------------------+---------------+
| Fragments | Fragments | WARNING |
+-----------------------+-------------------------------+---------------+
In the report, i don't see exactly what check delivers this warning (or i am too blind to see) and what's the threshhold for triggering this warning.
Any ideas?
BR
Vincent
Hi Vincent,
If we look at the bash script I think it is this section we are looking for:
#Fragments check
check_fragmentation()
{
#Reset counters and start log
summary_error=0
test_output_error=0
current_check_message="# Fragments Checks:"#Collect expired and failure numbers from "fw ctl pstat"
all_fragments=$(fw ctl pstat | grep -A2 Fragments | grep -v Fragments)
current_expired=$(echo $all_fragments | awk '{print $5}')
current_failures=$(echo $all_fragments | awk '{print $13}')
printf "| Fragments\t\t| Fragments\t\t\t|" | tee -a $output_log'#Display warning messages if failures or expired packets are detected
if [[ $current_failures -ne 0 || $current_expired -ne 0 ]]; then
check_failed
printf "Fragments,Fragments,WARNING,\n" >> $csv_log
if [[ $current_failures -ne 0 ]]; then
printf "Failures ▒~@~S denotes the number of fragmented packets that were received that could not be successfully re-assembled.\n\n" >> $logfile
fi
if [[ $current_expired -ne 0 ]];then
printf "Expired ▒~@~S denotes how many fragments were expired when the firewall failed to reassemble them in a 20 seconds time frame or when due to memory exhaustion, they could not be kept in memory anymore.\n\n" >> $logfile
fi
So this means that the command "fw ctl pstat" is issued to deliver you this information. And there are failures / expired packets detected.
Hi Vincent,
If we look at the bash script I think it is this section we are looking for:
#Fragments check
check_fragmentation()
{
#Reset counters and start log
summary_error=0
test_output_error=0
current_check_message="# Fragments Checks:"#Collect expired and failure numbers from "fw ctl pstat"
all_fragments=$(fw ctl pstat | grep -A2 Fragments | grep -v Fragments)
current_expired=$(echo $all_fragments | awk '{print $5}')
current_failures=$(echo $all_fragments | awk '{print $13}')
printf "| Fragments\t\t| Fragments\t\t\t|" | tee -a $output_log'#Display warning messages if failures or expired packets are detected
if [[ $current_failures -ne 0 || $current_expired -ne 0 ]]; then
check_failed
printf "Fragments,Fragments,WARNING,\n" >> $csv_log
if [[ $current_failures -ne 0 ]]; then
printf "Failures ▒~@~S denotes the number of fragmented packets that were received that could not be successfully re-assembled.\n\n" >> $logfile
fi
if [[ $current_expired -ne 0 ]];then
printf "Expired ▒~@~S denotes how many fragments were expired when the firewall failed to reassemble them in a 20 seconds time frame or when due to memory exhaustion, they could not be kept in memory anymore.\n\n" >> $logfile
fi
So this means that the command "fw ctl pstat" is issued to deliver you this information. And there are failures / expired packets detected.
Hello Jelle,
you are absolutely right. Shame on me for not looking into the script on myself ☹
Best
Vincent
Timothy_Hall
Edit 7/15/2019: Packets arriving at the firewall that are fragmented can potentially be accelerated starting in gateway version R80.20.
Fragments are not the end of the world but should be investigated because they cannot be accelerated at all by SecureXL, here is a excerpt from my book discussing them:
If you suspect fragmentation is occurring, we can confirm this from the firewall using
various tools. There is very little you can do about fragmented packets arriving from the
Internet (unless your organization’s own Internet perimeter router is the one doing the
fragmenting), but you should try to avoid this situation on any networks under your
administrative control. To figure out how many fragments the firewall is receiving, run
these commands:
fw ctl pstat and fwaccel stats -p
If the fragment numbers seem high, run this tcpdump command to see all fragmented
packets and figure out where they are coming from:
tcpdump -eni any '((ip[6:2] > 0) and (not ip[6] = 64))'
Any traffic appearing in this output is fragmented; notice that the -e option will also
show you the source MAC address of the entity that sent the fragmented packet to the
firewall, in order to help you trace the fragmented packet back to its origin. The only
way to correct this situation is to ensure a consistent MTU value is in use throughout
your internal and DMZ networks. In the real world when a large amount of internal
traffic is improperly fragmented, it is usually due a misconfigured MTU on a router
somewhere. I’ve seen correcting an internal MTU issue such as this make a huge
difference in firewall performance.
--
Second Edition of my "Max Power" Firewall Book
Now Available at http://www.maxpowerfirewalls.com
I would like to add to this that sometimes it's not in your power to adjust the MTU to satisfying values. I once run into a situation where there was a 3third party that couldn't lower there MTU, if they would do that they would introduce other problems.
Luckily i discovered that the customer had a reverse proxy (full proxy) which I then used to terminate the client-side connection on. I then configured the reverse proxy in a way that i could lower the MSS to a satisfying value.
Don't forget that this is only possible with TCP 
Kind regards,
Hello Tim,
that tcpdump syntax is exactly what i need to see the fragmented traffic. In our case it's too much, especially because this DMZ is not yet in production completely.
Now i can dive more in depth into the situation, thanks a lot!
Best
Vincent
About CheckMates
Learn Check Point
Advanced Learning
WELCOME TO THE FUTURE OF CYBER SECURITY