This website uses Cookies. Click Accept to agree to our website's cookie use as described in our Privacy Policy. Click Preferences to customize your cookie settings.
Accept
Reject
Preferences
ABOUT CHECKMATES CYBER SECURITY COMMUNITY & FAQ
Create a Post
Help
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

Are you a member of CheckMates?

×
Sign in with your Check Point UserCenter/PartnerMap account to access more great content and get a chance to win some Apple AirPods! If you don't have an account, create one now for free!
Vincent_Bacher
Advisor
Advisor
‎2018-02-14 01:27 AM
Jump to solution

another question about healthcheck result

Hi mates,

have another question about healthcheck result.
+-----------------------+-------------------------------+---------------+
| Fragments             | Fragments                     | WARNING       |
+-----------------------+-------------------------------+---------------+

In the report, i don't see exactly what check delivers this warning (or i am too blind to see) and what's the threshhold for triggering this warning.
Any ideas?
BR
Vincent

and now to something completely different - CCVS, CCAS, CCTE, CCCS, CCSM elite
0 Kudos
1 Solution

Accepted Solutions
Jelle_Hazenberg
Collaborator
Collaborator
‎2018-02-14 03:07 AM
Jump to solution

Hi Vincent,

If we look at the bash script I think it is this section we are looking for:

#Fragments check
check_fragmentation()
{
    #Reset counters and start log
    summary_error=0
    test_output_error=0
    current_check_message="# Fragments Checks:"

    #Collect expired and failure numbers from "fw ctl pstat"
    all_fragments=$(fw ctl pstat | grep -A2 Fragments | grep -v Fragments)
    current_expired=$(echo $all_fragments | awk '{print $5}')
    current_failures=$(echo $all_fragments | awk '{print $13}')
    printf "| Fragments\t\t| Fragments\t\t\t|" | tee -a $output_log'

    #Display warning messages if failures or expired packets are detected
    if [[ $current_failures -ne 0 || $current_expired -ne 0 ]]; then
        check_failed
        printf "Fragments,Fragments,WARNING,\n" >> $csv_log
        if [[ $current_failures -ne 0 ]]; then
            printf "Failures ▒~@~S denotes the number of fragmented packets that were received that could not be successfully re-assembled.\n\n" >> $logfile
        fi
        if [[ $current_expired -ne 0 ]];then
            printf "Expired ▒~@~S denotes how many fragments were expired when the firewall failed to reassemble them in a 20 seconds time frame or when due to memory exhaustion, they could not be kept in memory anymore.\n\n" >> $logfile
        fi

So this means that the command "fw ctl pstat" is issued to deliver you this information. And there are failures / expired packets detected.

View solution in original post

5 Replies
Jelle_Hazenberg
Collaborator
Collaborator
‎2018-02-14 03:07 AM
Jump to solution

Hi Vincent,

If we look at the bash script I think it is this section we are looking for:

#Fragments check
check_fragmentation()
{
    #Reset counters and start log
    summary_error=0
    test_output_error=0
    current_check_message="# Fragments Checks:"

    #Collect expired and failure numbers from "fw ctl pstat"
    all_fragments=$(fw ctl pstat | grep -A2 Fragments | grep -v Fragments)
    current_expired=$(echo $all_fragments | awk '{print $5}')
    current_failures=$(echo $all_fragments | awk '{print $13}')
    printf "| Fragments\t\t| Fragments\t\t\t|" | tee -a $output_log'

    #Display warning messages if failures or expired packets are detected
    if [[ $current_failures -ne 0 || $current_expired -ne 0 ]]; then
        check_failed
        printf "Fragments,Fragments,WARNING,\n" >> $csv_log
        if [[ $current_failures -ne 0 ]]; then
            printf "Failures ▒~@~S denotes the number of fragmented packets that were received that could not be successfully re-assembled.\n\n" >> $logfile
        fi
        if [[ $current_expired -ne 0 ]];then
            printf "Expired ▒~@~S denotes how many fragments were expired when the firewall failed to reassemble them in a 20 seconds time frame or when due to memory exhaustion, they could not be kept in memory anymore.\n\n" >> $logfile
        fi

So this means that the command "fw ctl pstat" is issued to deliver you this information. And there are failures / expired packets detected.

Vincent_Bacher
Advisor
Advisor
‎2018-02-14 03:36 AM
In response to Jelle_Hazenberg
Jump to solution

Hello Jelle,

you are absolutely right. Shame on me for not looking into the script on myself ☹

Best

Vincent

and now to something completely different - CCVS, CCAS, CCTE, CCCS, CCSM elite
Timothy_Hall
Legend Legend
Legend
‎2018-02-15 01:24 PM
Jump to solution

Edit 7/15/2019: Packets arriving at the firewall that are fragmented can potentially be accelerated starting in gateway version R80.20.

Fragments are not the end of the world but should be investigated because they cannot be accelerated at all by SecureXL, here is a excerpt from my book discussing them:

 

If you suspect fragmentation is occurring, we can confirm this from the firewall using
various tools. There is very little you can do about fragmented packets arriving from the
Internet (unless your organization’s own Internet perimeter router is the one doing the
fragmenting), but you should try to avoid this situation on any networks under your
administrative control. To figure out how many fragments the firewall is receiving, run
these commands:


fw ctl pstat and fwaccel stats -p

 

If the fragment numbers seem high, run this tcpdump command to see all fragmented
packets and figure out where they are coming from:


tcpdump -eni any '((ip[6:2] > 0) and (not ip[6] = 64))'


Any traffic appearing in this output is fragmented; notice that the -e option will also
show you the source MAC address of the entity that sent the fragmented packet to the
firewall, in order to help you trace the fragmented packet back to its origin. The only
way to correct this situation is to ensure a consistent MTU value is in use throughout
your internal and DMZ networks. In the real world when a large amount of internal
traffic is improperly fragmented, it is usually due a misconfigured MTU on a router
somewhere. I’ve seen correcting an internal MTU issue such as this make a huge
difference in firewall performance.

--
Second Edition of my "Max Power" Firewall Book
Now Available at http://www.maxpowerfirewalls.com

Gateway Performance Optimization R81.20 Course
now available at maxpowerfirewalls.com
Jelle_Hazenberg
Collaborator
Collaborator
‎2018-02-15 03:40 PM
In response to Timothy_Hall
Jump to solution

I would like to add to this that sometimes it's not in your power to adjust the MTU to satisfying values. I once run into a situation where there was a 3third party that couldn't lower there MTU, if they would do that they would introduce other problems.

Luckily i discovered that the customer had a reverse proxy (full proxy) which I then used to terminate the client-side connection on. I then configured the reverse proxy in a way that i could lower the MSS to a satisfying value.

Don't forget that this is only possible with TCP  Smiley Happy

Kind regards,

Vincent_Bacher
Advisor
Advisor
‎2018-02-15 11:21 PM
In response to Timothy_Hall
Jump to solution

Hello Tim,

that tcpdump syntax is exactly what i need to see the fragmented traffic. In our case it's too much, especially because this DMZ is not yet in production completely.

Now i can dive more in depth into the situation, thanks a lot!

Best

Vincent

and now to something completely different - CCVS, CCAS, CCTE, CCCS, CCSM elite
0 Kudos

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

View All ≫
Upcoming Events

    CheckMates Events