This website uses Cookies. Click Accept to agree to our website's cookie use as described in our Privacy Policy. Click Preferences to customize your cookie settings.
Accept
Reject
Preferences
ABOUT CHECKMATES CYBER SECURITY COMMUNITY & FAQ
Create a Post
Help
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

Are you a member of CheckMates?

×
Sign in with your Check Point UserCenter/PartnerMap account to access more great content and get a chance to win some Apple AirPods! If you don't have an account, create one now for free!
Netadmin2020
Collaborator
‎2020-12-31 08:58 AM
Jump to solution

Connection terminated before detection. Action Passed

Hello again,

I have the bellow issue from time to time and I am searching to see what lies behind. 

 

 

 

I red for the early drop optimization and for packet out of states.

early drop.JPG

In my case the traffic always accepted but in some cases with above message.

What are you proposing ?

 

thanx!

0 Kudos
1 Solution

Accepted Solutions
PhoneBoy
Admin
Admin
‎2021-01-01 11:23 AM
In response to Netadmin2020
Jump to solution

If by destination you mean a specific IP, that can be blocked at the TCP SYN.
If the destination is a specific application or a specific action in an application, traffic has to be allowed until such application or action is detected.
At that point, the connection is terminated.

View solution in original post

0 Kudos
8 Replies
PhoneBoy
Admin
Admin
‎2020-12-31 12:42 PM
Jump to solution

What precise rule is accepting the traffic? This could be expected behavior.

Consider what is required to determine you are tying to access, say: Gmail.
If I open a TCP connection to 192.0.2.1 port 443, the first packet sent is a TCP SYN. Here’s what I know from that:

  1. It’s likely a web-based connection. That said, anything can use port 443, so that’s only an assumption.
  2. It could be a connection to do a Google search, gmail, Google Maps, Google Drive, or any other Google property. Or Office 365 apps. Or something else.
  3. I might be able to do a reverse lookup on the IP to see where it’s going, but that adds latency and provides no guarantee the lookup will show you anything that will help identify the app or website. Or tell you if the content being served up is actually safe.

Bottom line: more information is needed. A few more packets must be let through on the connection before we know exactly what it is.

Meanwhile, the error seems to indicate that the TCP connection terminated before we could figure out precisely what application it was.
Which, given how Application Control works, is something that can (and does) happen.

Netadmin2020
Collaborator
‎2021-01-01 12:01 AM
In response to PhoneBoy
Jump to solution

Good Morning and I wish a happy new year for all of us!

I am attaching everything requested below:

1.PNG

2.PNG

3.PNG

4.PNG

application.PNG

rule150.PNG

0 Kudos
PhoneBoy
Admin
Admin
‎2021-01-01 12:15 AM
In response to Netadmin2020
Jump to solution

That basically confirms what I was saying above: not quite enough bytes to classify the traffic under rule 150.1.
However, because you have an App Control rule, some traffic has to be allowed in order to attempt classification.
This is expected behavior.

Netadmin2020
Collaborator
‎2021-01-01 12:22 AM
In response to PhoneBoy
Jump to solution

This rule was just an example but behavior could be the same for other rules. So you mean that this will not be a problem to the user side?

0 Kudos
PhoneBoy
Admin
Admin
‎2021-01-01 12:23 AM
In response to Netadmin2020
Jump to solution

Shouldn't be since the traffic is being allowed.

0 Kudos
Netadmin2020
Collaborator
‎2021-01-01 12:47 AM
In response to PhoneBoy
Jump to solution

So no further actions are required ? 

0 Kudos
Netadmin2020
Collaborator
‎2021-01-01 01:24 AM
Jump to solution

As far as I understand some data should pass for the classification to be completed but finally the action may be blocked, if there is a rule with deny action to specific destinations.

0 Kudos
PhoneBoy
Admin
Admin
‎2021-01-01 11:23 AM
In response to Netadmin2020
Jump to solution

If by destination you mean a specific IP, that can be blocked at the TCP SYN.
If the destination is a specific application or a specific action in an application, traffic has to be allowed until such application or action is detected.
At that point, the connection is terminated.

0 Kudos

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

View All ≫
Upcoming Events

    CheckMates Events