This website uses Cookies. Click Accept to agree to our website's cookie use as described in our Privacy Policy. Click Preferences to customize your cookie settings.
Accept
Reject
Preferences
ABOUT CHECKMATES CYBER SECURITY COMMUNITY & FAQ
Create a Post
Help
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

Are you a member of CheckMates?

×
Sign in with your Check Point UserCenter/PartnerMap account to access more great content and get a chance to win some Apple AirPods! If you don't have an account, create one now for free!
Michael_Horne
Advisor
‎2021-05-26 09:10 AM
Jump to solution

FTP retransmission causing FW to modify packet

Hello All,

We have put a FTP server behind a Security Gateway (R80.40) and this is causing the FTP scripts on the server to fail. It looks like a retransmission is happening with one FTP packets occasionally. The FW is altering this packet, which cause the FTP transfers to stop unexpectedly early.

I am using cppcap to capture the packets so the packets are seen 6 times as the traverse the firewall.

We see the original FTP response packet enter the firewall and pass correctly.

Packet1.png after this packet there is a normal ACK back.

We then see a retransmission of this response packet enter the firewall.  We see this 3 times as it is inbound on the firewall:

Packet2.png

When the packet starts on the outbound path it has dropped from 120 byte to 67 bytes, the TCP flags have changed and the FTP data has been truncated to be a single character (I believe it is a newline character) 

Packet3.png

Something in the FW seems to process this retransmission in a strange way.  The FTP commands and the output are logged on the server and are checked by a script for the return FTP code 226. As is visible when we decode the FTP stream on a wireshark trace on the server, this modified packet with the newline causes the FTP return code to appear as "newline" + 26 instead of the expected FTP return code 226. This causing the FTP scripts to fail:

decode.png

Has anyone experienced something like this before?

Many thanks,

Michael

0 Kudos
1 Solution

Accepted Solutions
Timothy_Hall
Legend Legend
Legend
‎2021-05-26 11:49 AM
Jump to solution

Yes I have although Wireshark does not seem to be showing a checksum error, check this SK:

sk173191: Packet data stripped by "TCP Invalid Checksum" IPS protection

Your issue also sounds vaguely similar to the following SK, but it does not match the symptoms exactly:

sk24960: "Smart Connection Reuse" feature modifies some SYN packets

 

Gateway Performance Optimization R81.20 Course
now available at maxpowerfirewalls.com

View solution in original post

0 Kudos
2 Replies
Timothy_Hall
Legend Legend
Legend
‎2021-05-26 11:49 AM
Jump to solution

Yes I have although Wireshark does not seem to be showing a checksum error, check this SK:

sk173191: Packet data stripped by "TCP Invalid Checksum" IPS protection

Your issue also sounds vaguely similar to the following SK, but it does not match the symptoms exactly:

sk24960: "Smart Connection Reuse" feature modifies some SYN packets

 

Gateway Performance Optimization R81.20 Course
now available at maxpowerfirewalls.com
0 Kudos
Michael_Horne
Advisor
‎2021-05-27 01:47 AM
In response to Timothy_Hall
Jump to solution

Hello ,

Thanks for the links to the topics. I put in an exception for the "TCP invalid Checksum" protection for this particular connection, and I no longer see the FTP packets being truncated / changed as the pass through the firewall.

0 Kudos

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

View All ≫
Upcoming Events

    Sort by:
    CheckMates Events