- CheckMates
- :
- Products
- :
- Quantum
- :
- Security Gateways
- :
- Checkpoint Satefull Inspection for reestablished t...
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark
- Subscribe
- Mute
- Printer Friendly Page
Are you a member of CheckMates?
×- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Checkpoint Satefull Inspection for reestablished tcp session
Hi All,
I have one question regarding checkpoint Satefull inspection feature. I have rule that allows Server A to be accessed from public, and in the firewall as I know there is only one rule needed for such traffic due to checkpoint Satefull inspection. My concern is if the TCP session by any means fails, is adding a rule from server A to any make this TCP session to reestablish by the server ?
Thanks,
Accepted Solutions
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
If the TCP session fails, i would assume that the client needs to establish a new connection to the server - it usually does not make sense for a server to reach out for a client to re-establish a connection 😉 Also authentication would be an issue here.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
If the TCP session fails, i would assume that the client needs to establish a new connection to the server - it usually does not make sense for a server to reach out for a client to re-establish a connection 😉 Also authentication would be an issue here.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
What is the expected behavior, what are you trying to achieve?
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
The thing is the server access from public failed in the middle of no where. so, I taught whenever the tcp session failed writing a rule in the reverse direction (i.e from server to any) may allow the server to reestablish the tcp session
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
A reverse rule won't solve this issue as you will get a TCP packet out of state message: https://support.checkpoint.com/results/sk/sk31382
Or something like "First Packet isn't SYN" from: https://support.checkpoint.com/results/sk/sk11088
You can disable these checks for specific flows by using the procedure in sk11088.
This is generally not recommended for security reasons, though.