This website uses Cookies. Click Accept to agree to our website's cookie use as described in our Privacy Policy. Click Preferences to customize your cookie settings.
Accept
Reject
Preferences
ABOUT CHECKMATES CYBER SECURITY COMMUNITY & FAQ
Create a Post
Help
cancel
Turn on suggestions
Showing results for 
Search instead for 
Did you mean: 

Are you a member of CheckMates?

×
Sign in with your Check Point UserCenter/PartnerMap account to access more great content and get a chance to win some Apple AirPods! If you don't have an account, create one now for free!
babicmilan
Collaborator
‎2024-10-01 07:24 AM

Bug or something other

Hello, I have a version R81.20 Jumbo Hotfix Take 76 on my gateways in ClusterXL, but when I have upgraded it to a Take 84 (recommended version) I get some issues regarding internet access.

Connection terminated before the Security Gateway was able to make a decision: Insufficient data passed.
To learn more see sk113479.

It seems like issue with policy match.

I have inline layer created for internet access (rule ID: 79). Instead of connections match rule 79.15 they match rule 79.

I didn't find a cause of the problem and I have downgrade to Hotfix Take 76

 

How to resolve problem?

0 Kudos
5 Replies
PhoneBoy
Admin
Admin
‎2024-10-01 08:50 AM

This error message is considered "normal" and a function of how modern application-aware firewalls operate.
In short:

  • On first packet, you only know source/destination/service from an IP header perspective.
  • Additional packets are required to fully classify the traffic (e.g. we need to see HTTP headers or information not available in the first packet).
  • Assuming there's at least ONE accept rule on the relevant port, traffic will be allowed until the traffic can be properly classified.
  • If the underlying connection closes before classification occurs, you will see the error you mention. 

Again, this is expected behavior and documented in the referenced SK: https://support.checkpoint.com/results/sk/sk113479 

The fact you rolled back begs the question: were your users experiencing any actual issues as a result of these errors?

0 Kudos
the_rock
Legend
Legend
‎2024-10-01 04:09 PM

The way I always put it, that sk is literally a long way of saying 3 way handshake is not completing and firewall is not a problem. It simply does not have enough data to classify such a connection, and though you may see the actual drop in the log, thats not technically the case.

Andy

0 Kudos
babicmilan
Collaborator
‎2024-10-02 01:08 AM
In response to the_rock

Look at this pictures. When problem occurs, nobody can access the internet. Policy say that rule 79 is matched (rule 79 is inline layer). It must be matched rule 79.11 to allow access the internet.

I don't know, maybe is something wrong with Gaia OS, I think to reinstall Gaia OS.

Picture_1.PNG
Preview file
69 KB
Picture_2.PNG
Preview file
28 KB
0 Kudos
the_rock
Legend
Legend
‎2024-10-02 04:44 AM
In response to babicmilan

Vidio sam slike : - )

Trust me, its NOT the firewall issue mate. Just carefully read the sk itself.

Andy

0 Kudos
PhoneBoy
Admin
Admin
‎2024-10-02 07:40 AM
In response to babicmilan

The action on the log says "Accept."
When you say "nobody can access the Internet" what is the exact behavior? (i.e. what is seen by end users)

In any case, the error message itself isn't necessarily indicative of a problem.
However, if there is an actual issue that can be resolved by uninstalling the relevant JHF, then you'll need to consult with TAC.

0 Kudos

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

View All ≫
Upcoming Events

    Sort by:
    CheckMates Events
    li.common.scroll-to.top