This website uses Cookies. Click Accept to agree to our website's cookie use as described in our Privacy Policy. Click Preferences to customize your cookie settings.
Accept
Reject
Preferences
ABOUT CHECKMATES CYBER SECURITY COMMUNITY & FAQ
Create a Post
Help
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

Are you a member of CheckMates?

×
Sign in with your Check Point UserCenter/PartnerMap account to access more great content and get a chance to win some Apple AirPods! If you don't have an account, create one now for free!
ikafka
Collaborator
‎2023-09-22 03:59 AM
Jump to solution

First Packet isn't SYN

Hi,

 

I have looked through similiar post here but it is not exactly the same problem, I wanted to open a post. 

The 192.168.100.0/24 network is constantly generating traffic. I know this traffic (SCADA generated). I blocked this 192.168.100.0/24 network by writing  a rule from the firewall and  did not wan to log. I left it as NONE.

But when I look at logs on the firewall, it shows as a drop but it does not match my rule. Anr rule drops without matching. Too many logs are generated. How can I drop this traffic and make it not keep logs? 

Screenshot of a log record. 

fECYroZA0o.png

 

 

0 Kudos
1 Solution

Accepted Solutions
PhoneBoy
Admin
Admin
‎2023-09-22 04:37 PM
Jump to solution

You can disable these logs via: https://support.checkpoint.com/results/sk/sk102491

View solution in original post

7 Replies
PhoneBoy
Admin
Admin
‎2023-09-22 04:37 PM
Jump to solution

You can disable these logs via: https://support.checkpoint.com/results/sk/sk102491

ikafka
Collaborator
‎2023-09-26 04:37 AM
In response to PhoneBoy
Jump to solution

Thank you @PhoneBoy for your replying. I set it to not log. Sometimes it is necessary to look at such logs. I can open it again when necessary. 

0 Kudos
the_rock
Legend
Legend
‎2023-09-22 04:54 PM
Jump to solution

In layman's terms, all that error means, regardless of the firewall vendor used, is literally that 3 way handshake is not completing, why, thats another question. You need to run tcpdump and fw monitor to find out.

To help with the flags, check out this site my colleague made while back, it gives you the command you can copy directly based on the filter (it also uses multiple vendors)

Andy

www.tcpdump101.com

 

0 Kudos
ikafka
Collaborator
‎2023-09-26 04:35 AM
In response to the_rock
Jump to solution

Thank you for this site. It is a very nice and useful site. 

(1)
the_rock
Legend
Legend
‎2023-09-26 08:41 AM
In response to ikafka
Jump to solution

Super useful...my colleague made that in his free time over the years. 

Andy

Zolocofxp
Collaborator
‎2023-09-26 08:36 AM
Jump to solution

I have experienced this before and every single time, it had to do with asymmetric routing. SYN packet reached the destination host without going through the firewall and SYN-ACK was returning through the firewall. 

(1)
the_rock
Legend
Legend
‎2023-09-26 08:41 AM
In response to Zolocofxp
Jump to solution

What you said is literally the case 99% of the time.

Andy

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

View All ≫
Upcoming Events

    CheckMates Events