This website uses Cookies. Click Accept to agree to our website's cookie use as described in our Privacy Policy. Click Preferences to customize your cookie settings.
Accept
Reject
Preferences
ABOUT CHECKMATES CYBER SECURITY COMMUNITY & FAQ
Create a Post
Help
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

Are you a member of CheckMates?

×
Sign in with your Check Point UserCenter/PartnerMap account to access more great content and get a chance to win some Apple AirPods! If you don't have an account, create one now for free!
Herschel_Liang
Collaborator
‎2022-04-20 05:13 PM

How the CheckPoint behaves when cancel stateful Inspection?

I have seen Fortinet KB(Technical Note: How the FortiGate behaves when asymmetric routing is enabled ) recently.

https://community.fortinet.com/t5/FortiGate/Technical-Note-How-the-FortiGate-behaves-when-asymmetric...

And wonder whether similar behaviour on CP FW or not.

 

0 Kudos
23 Replies
the_rock
Legend
Legend
‎2022-04-20 05:42 PM

Put it this way...if you disable stateful inspection, you might as well not even have the firewall. It would literally behave like a layer 2 device at that point.

0 Kudos
Chris_Atkinson
Employee Employee
Employee
‎2022-04-20 06:45 PM

Can you describe the use case scenario that you're trying to achieve / solve so we can better assist?

CCSM R77/R80/ELITE
0 Kudos
Herschel_Liang
Collaborator
‎2022-04-20 08:55 PM
In response to Chris_Atkinson

No, do not want to ask use case scenario. I just want to know CP general behaviour when cancel stateful Inspection as FGT KB descrition. How will CP prcedure traffic? Will it continue policy lookup for TCP traffic and will it inspect L7? I just curious about any different from CP and FGT after disabling stateful inspection. Due to both of two production can action as L7 firewall.

0 Kudos
G_W_Albrecht
Legend Legend
Legend
‎2022-04-20 10:27 PM
In response to Herschel_Liang

Best put both units side by side and test the behaviour under these circumstances. But usually, customers tend to fix the asymetric routing issues...

CCSP - CCSE / CCTE / CTPS / CCME / CCSM Elite / SMB Specialist
0 Kudos
the_rock
Legend
Legend
‎2022-04-20 06:48 PM

@Chris_Atkinson makes a good point actually. If you tell us the scenario, we will have better idea how to help. By the way, the most cases I had seem where people disable stateful inspection is if you are getting "out of state packets". Honestly, thats more not even a real workaround, but really "masking" an actual issue.

Think about it like this...if packet is NOT stateful, then firewall should drop it. So really, any out of state packet tells you its not doing syn- syn ack-ack sequence.

Andy

0 Kudos
Herschel_Liang
Collaborator
‎2022-04-20 09:00 PM
In response to the_rock

No, do not want to ask use case scenario. I just want to compare CP globally behaviour after cancel stateful Inspection as FGT KB descrition. How will CP prcedure traffic? Will it continue policy lookup for TCP traffic and will it inspect L7...... I just curious about any different from CP and FGT after disabling stateful inspection. Due to both of two production can action as L7 firewall.

0 Kudos
Ruan_Kotze
Advisor
‎2022-04-21 02:32 AM
In response to Herschel_Liang

Hi Herschel,

If I understand your question correctly, you want to know if a Check Point appliance mimics Fortinet behavior when Stateful Inspection (Allow Asymmetric Routing in FortiLanguage) is disabled?  Just to be clear, Fortigate behavior in this scenario is:
- No UTM Policy applied
- Firewall acts as a router and just forwards packets (no firewall policy lookup)

In my experience the Check Point does not act in this way - firewall policy lookups are still done and things like IPS, AppF, URLF etc. all still work, i.e. it is not disabled just because you disabled stateful inspection.  My answer is not based on any official CP documentation, but on experience with a site I inherited a while back where Stateful Inspection was disabled for some reason.

Do note that a lot of traffic will break if you disable SI, think of stateful return traffic initiated through an outbound rule that will now be dropped - also because the various threat prevention engines might not see the whole connection there will be a negative effect on the ability of the gateway to inspect the traffic.

Again, this is based on my experience and I stand to be corrected.  I will verify this in my lab later latest tomorrow and report back.

G_W_Albrecht
Legend Legend
Legend
‎2022-04-21 09:51 PM
In response to Herschel_Liang

Best put both units side by side and test the behaviour under these circumstances. But usually, customers tend to fix the asymetric routing issues...

CCSP - CCSE / CCTE / CTPS / CCME / CCSM Elite / SMB Specialist
0 Kudos
_Val_
Admin
Admin
‎2022-04-21 03:02 AM

After reading the article, I had to calm down a bit. Especially this part, from TCP section:

Since no policy is matched, the packet is simply forwarded based on the routing table and the Firewall acts as a router which only makes routing decision.

Wow, just wow, let enable asymmetric routing and let everything but SYN packets to pass through freely, as we just had a router and no security...

No, this is not something we do with Check Point. First, as already mentioned, you need to disable stateful inspection, to allow asymmetric traffic to be forwarded. Yet, we do match that traffic to rulebases on all FWs packets are crossing. 

What is important to note here, with asymmetric traffic, you will not be able to effectively use any blades that require Medium pass and data streaming for in-depth analysis: AC, most of IPS, and practically all TP.

The main question is, why? Why would you even do that?

Herschel_Liang
Collaborator
‎2022-04-21 03:13 AM
In response to _Val_

No, I do not want to disable stateful inspection. I just curior about workflow after disabling CP stateful inspection. Just a technical topic discussion on different L7 FWs.

0 Kudos
_Val_
Admin
Admin
‎2022-04-21 03:26 AM
In response to Herschel_Liang

You keep mentioning L7 FWs, and I am very confused. Although both vendors are capable to enforce up to L7, if your traffic is asymmetric, you cannot actually do that. Well, you still can inspect HTTP headers, which are technically L7, but you cannot expect application traffic properly, if different data packets are crossing different GWs. I have noted that already

0 Kudos
Herschel_Liang
Collaborator
‎2022-04-21 05:28 PM
In response to _Val_

 I can understand asymmetric traffic often go to different GWs. In many environments, disabled stateful inspection usually happens on a part of the traffic that is abnormal. I mean that how will CP procedure another part of normal traffic.

 

And I found something interesting: sk109405. Do it mean that L7(IPS blades) has higher priority than "Drop out of state TCP packets" option? If we want to disabled stateful inspection next time, we should disabled all L7 blades first? I am very confused.

0 Kudos
Chris_Atkinson
Employee Employee
Employee
‎2022-04-21 06:33 PM
In response to Herschel_Liang

Again, this is why we asked you to describe your specific use case in more detail.

Active-Active firewall configuration is a different discussion with this in mind.

CCSM R77/R80/ELITE
Herschel_Liang
Collaborator
‎2022-04-25 04:01 AM
In response to Chris_Atkinson

How about Active-Passive mode? How about you think sk109405? Do it mean that L7(IPS blades) has higher priority than "Drop out of state TCP packets" option? If we want to disable stateful inspection next time, we should disable all L7 blades first?

0 Kudos
G_W_Albrecht
Legend Legend
Legend
‎2022-04-25 04:34 AM
In response to Herschel_Liang

You should not disable stateful inspection, Point. If you do not like it, sell the GW 😎.

CCSP - CCSE / CCTE / CTPS / CCME / CCSM Elite / SMB Specialist
the_rock
Legend
Legend
‎2022-04-25 06:24 AM
In response to G_W_Albrecht

Yes sir, good point : - )

0 Kudos
Douglas_Rich
Contributor
‎2023-09-12 07:38 AM
In response to G_W_Albrecht

obviously allowing out of state packets is a security risk, no need to rehash.

But to be the devils advocate, the options within Global Properties to uncheck "Drop out of state TCP packets" or set an Exception for a Gateway, do not use the word "disable", instead they say "Do not drop"
Given CP documentation has a history of being 100% literal without interpenetration, I would say you're not disabling Stateful Inspection, you're only just not dropping out of state packets.

Therefore stateful traffic would not be affected?

am i right? was the impact overstated?

 

G_W_Albrecht
Legend Legend
Legend
‎2023-09-12 07:53 AM
In response to Douglas_Rich

https://support.checkpoint.com/results/sk/sk109405

https://community.checkpoint.com/t5/Security-Gateways/Stateful-Inspection-Explained/m-p/65510#M4996

CCSP - CCSE / CCTE / CTPS / CCME / CCSM Elite / SMB Specialist
0 Kudos
Douglas_Rich
Contributor
‎2023-09-12 08:04 AM
In response to G_W_Albrecht

not relevant to the question

the_rock
Legend
Legend
‎2023-09-12 08:07 AM
In response to Douglas_Rich

I would agree with that statement. Disabling that option is not advisable, needless to say, but that does not "erase" stateful inspection.

Andy

0 Kudos
_Val_
Admin
Admin
‎2022-04-21 03:06 AM

Also, why asking here and not in the regular space?

0 Kudos
Herschel_Liang
Collaborator
‎2022-04-21 03:21 AM
In response to _Val_

Pay no attention..... Haha, will correct next time@@

0 Kudos
_Val_
Admin
Admin
‎2022-04-21 03:24 AM
In response to Herschel_Liang

I moved it to the general GW space, where it belongs.

0 Kudos

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

View All ≫
Upcoming Events

    CheckMates Events