This website uses Cookies. Click Accept to agree to our website's cookie use as described in our Privacy Policy. Click Preferences to customize your cookie settings.
Accept
Reject
Preferences
ABOUT CHECKMATES CYBER SECURITY COMMUNITY & FAQ
Create a Post
Help
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

Are you a member of CheckMates?

×
Sign in with your Check Point UserCenter/PartnerMap account to access more great content and get a chance to win some Apple AirPods! If you don't have an account, create one now for free!
r1der
Advisor
‎2023-01-20 03:03 PM
Jump to solution

Filter out logs for "First packet isn't SYN"?

Hi All,

Is there a way to filter out logs for websites that have a drop for "First packet isn't SYN"?

I'm trying to find whether a website was blocked due to the firewall, and sort out the logs by username/not action:accept, but the "First Packet isn't SYN" logs are burying the logs I want to see.

 

Hardware: 6000 series
Smb: Smart-1 410 
Version: R81.10 take 79

Thanks!

 

0 Kudos
1 Solution

Accepted Solutions
the_rock
MVP Platinum
MVP Platinum
‎2023-01-20 05:09 PM
Jump to solution

Sorry, apologies mate, I dont have access to the dashboard now, but I recall doing similar filter before and you can do something like this -> NOT "First packet isnt SYN" or if you look at any logs containing that message, find the column containing those words and then right click on it and select the filter, that works as well.

Best,
Andy

View solution in original post

(1)
7 Replies
the_rock
MVP Platinum
MVP Platinum
‎2023-01-20 05:09 PM
Jump to solution

Sorry, apologies mate, I dont have access to the dashboard now, but I recall doing similar filter before and you can do something like this -> NOT "First packet isnt SYN" or if you look at any logs containing that message, find the column containing those words and then right click on it and select the filter, that works as well.

Best,
Andy
(1)
r1der
Advisor
‎2023-01-23 02:35 PM
In response to the_rock
Jump to solution

Thanks @the_rock, you rock! 

I thought I tried it that way (123.456.789 and NOT "First packet isn't SYN") but maybe I had something off. That works.

the_rock
MVP Platinum
MVP Platinum
‎2023-01-23 02:37 PM
In response to r1der
Jump to solution

Glad it helped mate! By the way, I just like to think Im like REAL Rock (Dwayne Johnson), but in reality, compared to him, Im more Mr Pebble ; - )

Cheers.

Best,
Andy
G_W_Albrecht
MVP Silver
MVP Silver
‎2023-01-21 01:15 AM
Jump to solution

I would try to get rid of the First packet isn't SYN messages first, does not look healthy at all !

CCSP - CCSE / CCTE / CTPS / CCME / CCSM Elite / SMB Specialist
r1der
Advisor
‎2023-01-23 02:43 PM
In response to G_W_Albrecht
Jump to solution

@G_W_Albrecht Thanks, I'm really confused about the First packet isn't SYN errors. I've read so much about it; I don't know which to believe anymore. 
I even opened a case with support previously about it, and they told me its regular to see those. Some threads here even say its normal. Is there a way you suggest I can get rid of them? I wouldn't even know how to get a hold of some of the web developers for the sites that are showing these "blocks" for First packet isn't SYN.

Note: I don't have https inspection checked yet.

 

0 Kudos
the_rock
MVP Platinum
MVP Platinum
‎2023-01-23 02:46 PM
In response to r1der
Jump to solution

Man, thats tricky one...whoever says those messages are normal, I would not say they are right, BUT, they are not wrong either. It really depends the situation...you will see those messages ANY TIME when connection is out of order. So as we all know, you got 3-way handshake, SYN <-> SYN-ACK<-> ACK. So, at the end of the day, message clearly tells you thats not happening, the hardest part is figuring out WHY NOT.

Best,
Andy
G_W_Albrecht
MVP Silver
MVP Silver
‎2023-01-23 11:22 PM
In response to r1der
Jump to solution

Usually, this is caused by asymmetrical routing - e.g. same connection packets arriving from different IFs.

CCSP - CCSE / CCTE / CTPS / CCME / CCSM Elite / SMB Specialist
0 Kudos

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

View All ≫
Upcoming Events

    CheckMates Events