This website uses Cookies. Click Accept to agree to our website's cookie use as described in our Privacy Policy. Click Preferences to customize your cookie settings.
Accept
Reject
Preferences
ABOUT CHECKMATES CYBER SECURITY COMMUNITY & FAQ
Create a Post
Help
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

Are you a member of CheckMates?

×
Sign in with your Check Point UserCenter/PartnerMap account to access more great content and get a chance to win some Apple AirPods! If you don't have an account, create one now for free!
JPR
Collaborator
2 weeks ago

About "CPNotEnoughDataForRuleMatch" and connection reset

Hi there,

I've (partly) asked about this before (https://community.checkpoint.com/t5/Security-Gateways/quot-CPNotEnoughDataForRuleMatch-quot-and-quot...), but now I have another related question regarding this behvavior.

I have a service that connects to an external ip address, but every time the connection gets terminated by a reset from the destination. The log in my firewall says "Accept", however, it is getting  "terminated before the Security Gateway was able to make a decision: No SSL applicative data."  ("CPNotEnoughDataForRuleMatch").

As I got told in my other post (see link above) the behavior is by design and expected, however, I do have a question to why it happens.

The connection in question gets HTTPS Inspected and the log is as follows:

httpsi.jpg

And the "Accept" ("CPNotEnoughDataForRuleMatch") log looks as below:

accept.jpg

I tried to establish the connection with a Wireshark running on the client (not the firewall) and as far as I can see the handshake completes, but then it gets disconnected by a reset from the destination:

ws.jpg

I have the same service on another endpoint WITHOUT HTTPS Inspection and there it connects fine.

So my question is: Is it possible that the packet somehow gets "malformed" in the HTTPS Inspection process and therefore the destination sends a reset back to us and kills the connection? Or is something different going on? I really can't figure it out!

Looking forward to your comments 🙂

Thanks!

0 Kudos
32 Replies
the_rock
Legend
Legend
Wednesday
In response to JPR

@Bob_Zimmerman explained it perfectly in 2nd link I posted in my response initially:

This message means the firewall isn't the problem. It allowed the SYN, but the connection was closed for some other reason before the firewall could see the website or application being attempted.

This is almost always because the server didn't respond with a SYN-ACK.

0 Kudos
PhoneBoy
Admin
Admin
Wednesday
In response to JPR

Yes, it's the use of the Custom Application/Site object that is causing the "problem" (which is actually by design).
More specifically, it appears to be the first "potential match" rule, which means it might impact multiple flows.
See how Column-Based Rule Matching works: https://community.checkpoint.com/t5/Management/Unified-Policy-Column-based-Rule-Matching/m-p/9888#M1... 

This may not be an issue of "more rules" but one of rule order, depending on what the precise nature of the traffic is and what rules you have.

0 Kudos
Lesley
Mentor Mentor
Mentor
2 weeks ago
In response to JPR

Focus on checking HTTPS inspection part, not the CPNotEnoughDataForRuleMatch error. 

HTTPS inspection can go wrong between client <-> FW or FW <-> remote server

Mismatch in ciphers but also CA that is not up to date on FW. 

-------
If you like this post please give a thumbs up(kudo)! 🙂

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

View All ≫
Upcoming Events

    CheckMates Events