Create a Post
cancel
Showing results for 
Search instead for 
Did you mean: 
babicmilan
Collaborator

Bug or something other

Hello, I have a version R81.20 Jumbo Hotfix Take 76 on my gateways in ClusterXL, but when I have upgraded it to a Take 84 (recommended version) I get some issues regarding internet access.

Connection terminated before the Security Gateway was able to make a decision: Insufficient data passed.
To learn more see sk113479.

It seems like issue with policy match.

I have inline layer created for internet access (rule ID: 79). Instead of connections match rule 79.15 they match rule 79.

I didn't find a cause of the problem and I have downgrade to Hotfix Take 76

 

How to resolve problem?

0 Kudos
5 Replies
PhoneBoy
Admin
Admin

This error message is considered "normal" and a function of how modern application-aware firewalls operate.
In short:

  • On first packet, you only know source/destination/service from an IP header perspective.
  • Additional packets are required to fully classify the traffic (e.g. we need to see HTTP headers or information not available in the first packet).
  • Assuming there's at least ONE accept rule on the relevant port, traffic will be allowed until the traffic can be properly classified.
  • If the underlying connection closes before classification occurs, you will see the error you mention. 

Again, this is expected behavior and documented in the referenced SK: https://support.checkpoint.com/results/sk/sk113479 

The fact you rolled back begs the question: were your users experiencing any actual issues as a result of these errors?

0 Kudos
the_rock
Legend
Legend

The way I always put it, that sk is literally a long way of saying 3 way handshake is not completing and firewall is not a problem. It simply does not have enough data to classify such a connection, and though you may see the actual drop in the log, thats not technically the case.

Andy

0 Kudos
babicmilan
Collaborator

Look at this pictures. When problem occurs, nobody can access the internet. Policy say that rule 79 is matched (rule 79 is inline layer). It must be matched rule 79.11 to allow access the internet.

I don't know, maybe is something wrong with Gaia OS, I think to reinstall Gaia OS.

0 Kudos
the_rock
Legend
Legend

Vidio sam slike : - )

Trust me, its NOT the firewall issue mate. Just carefully read the sk itself.

Andy

0 Kudos
PhoneBoy
Admin
Admin

The action on the log says "Accept."
When you say "nobody can access the Internet" what is the exact behavior? (i.e. what is seen by end users)

In any case, the error message itself isn't necessarily indicative of a problem.
However, if there is an actual issue that can be resolved by uninstalling the relevant JHF, then you'll need to consult with TAC.

0 Kudos

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

Upcoming Events

    CheckMates Events