Create a Post
cancel
Showing results for 
Search instead for 
Did you mean: 
Herschel_Liang
Collaborator

How the CheckPoint behaves when cancel stateful Inspection?

0 Kudos
23 Replies
the_rock
Legend
Legend

Put it this way...if you disable stateful inspection, you might as well not even have the firewall. It would literally behave like a layer 2 device at that point.

0 Kudos
Chris_Atkinson
Employee Employee
Employee

Can you describe the use case scenario that you're trying to achieve / solve so we can better assist?

CCSM R77/R80/ELITE
0 Kudos
Herschel_Liang
Collaborator

No, do not want to ask use case scenario. I just want to know CP general behaviour when cancel stateful Inspection as FGT KB descrition. How will CP prcedure traffic? Will it continue policy lookup for TCP traffic and will it inspect L7? I just curious about any different from CP and FGT after disabling stateful inspection. Due to both of two production can action as L7 firewall.

0 Kudos
G_W_Albrecht
Legend
Legend

Best put both units side by side and test the behaviour under these circumstances. But usually, customers tend to fix the asymetric routing issues...

CCSE CCTE CCSM SMB Specialist
0 Kudos
the_rock
Legend
Legend

@Chris_Atkinson makes a good point actually. If you tell us the scenario, we will have better idea how to help. By the way, the most cases I had seem where people disable stateful inspection is if you are getting "out of state packets". Honestly, thats more not even a real workaround, but really "masking" an actual issue.

Think about it like this...if packet is NOT stateful, then firewall should drop it. So really, any out of state packet tells you its not doing syn- syn ack-ack sequence.

Andy

0 Kudos
Herschel_Liang
Collaborator

No, do not want to ask use case scenario. I just want to compare CP globally behaviour after cancel stateful Inspection as FGT KB descrition. How will CP prcedure traffic? Will it continue policy lookup for TCP traffic and will it inspect L7...... I just curious about any different from CP and FGT after disabling stateful inspection. Due to both of two production can action as L7 firewall.

0 Kudos
Ruan_Kotze
Advisor

Hi Herschel,

If I understand your question correctly, you want to know if a Check Point appliance mimics Fortinet behavior when Stateful Inspection (Allow Asymmetric Routing in FortiLanguage) is disabled?  Just to be clear, Fortigate behavior in this scenario is:
- No UTM Policy applied
- Firewall acts as a router and just forwards packets (no firewall policy lookup)

In my experience the Check Point does not act in this way - firewall policy lookups are still done and things like IPS, AppF, URLF etc. all still work, i.e. it is not disabled just because you disabled stateful inspection.  My answer is not based on any official CP documentation, but on experience with a site I inherited a while back where Stateful Inspection was disabled for some reason.

Do note that a lot of traffic will break if you disable SI, think of stateful return traffic initiated through an outbound rule that will now be dropped - also because the various threat prevention engines might not see the whole connection there will be a negative effect on the ability of the gateway to inspect the traffic.

Again, this is based on my experience and I stand to be corrected.  I will verify this in my lab later latest tomorrow and report back.

G_W_Albrecht
Legend
Legend

Best put both units side by side and test the behaviour under these circumstances. But usually, customers tend to fix the asymetric routing issues...

CCSE CCTE CCSM SMB Specialist
0 Kudos
_Val_
Admin
Admin

After reading the article, I had to calm down a bit. Especially this part, from TCP section:

Since no policy is matched, the packet is simply forwarded based on the routing table and the Firewall acts as a router which only makes routing decision.

Wow, just wow, let enable asymmetric routing and let everything but SYN packets to pass through freely, as we just had a router and no security...

No, this is not something we do with Check Point. First, as already mentioned, you need to disable stateful inspection, to allow asymmetric traffic to be forwarded. Yet, we do match that traffic to rulebases on all FWs packets are crossing. 

What is important to note here, with asymmetric traffic, you will not be able to effectively use any blades that require Medium pass and data streaming for in-depth analysis: AC, most of IPS, and practically all TP.

The main question is, why? Why would you even do that?

Herschel_Liang
Collaborator

No, I do not want to disable stateful inspection. I just curior about workflow after disabling CP stateful inspection. Just a technical topic discussion on different L7 FWs.

0 Kudos
_Val_
Admin
Admin

You keep mentioning L7 FWs, and I am very confused. Although both vendors are capable to enforce up to L7, if your traffic is asymmetric, you cannot actually do that. Well, you still can inspect HTTP headers, which are technically L7, but you cannot expect application traffic properly, if different data packets are crossing different GWs. I have noted that already

0 Kudos
Herschel_Liang
Collaborator

 I can understand asymmetric traffic often go to different GWs. In many environments, disabled stateful inspection usually happens on a part of the traffic that is abnormal. I mean that how will CP procedure another part of normal traffic.

 

And I found something interesting: sk109405. Do it mean that L7(IPS blades) has higher priority than "Drop out of state TCP packets" option? If we want to disabled stateful inspection next time, we should disabled all L7 blades first? I am very confused.

0 Kudos
Chris_Atkinson
Employee Employee
Employee

Again, this is why we asked you to describe your specific use case in more detail.

Active-Active firewall configuration is a different discussion with this in mind.

CCSM R77/R80/ELITE
Herschel_Liang
Collaborator

How about Active-Passive mode? How about you think sk109405? Do it mean that L7(IPS blades) has higher priority than "Drop out of state TCP packets" option? If we want to disable stateful inspection next time, we should disable all L7 blades first?

0 Kudos
G_W_Albrecht
Legend
Legend

You should not disable stateful inspection, Point. If you do not like it, sell the GW 😎.

CCSE CCTE CCSM SMB Specialist
the_rock
Legend
Legend

Yes sir, good point : - )

0 Kudos
Douglas_Rich
Contributor

obviously allowing out of state packets is a security risk, no need to rehash.

But to be the devils advocate, the options within Global Properties to uncheck "Drop out of state TCP packets" or set an Exception for a Gateway, do not use the word "disable", instead they say "Do not drop"
Given CP documentation has a history of being 100% literal without interpenetration, I would say you're not disabling Stateful Inspection, you're only just not dropping out of state packets.

Therefore stateful traffic would not be affected?

am i right? was the impact overstated?

 

Douglas_Rich
Contributor

not relevant to the question

the_rock
Legend
Legend

I would agree with that statement. Disabling that option is not advisable, needless to say, but that does not "erase" stateful inspection.

Andy

0 Kudos
_Val_
Admin
Admin

Also, why asking here and not in the regular space?

0 Kudos
Herschel_Liang
Collaborator

Pay no attention..... Haha, will correct next time@@

0 Kudos
_Val_
Admin
Admin

I moved it to the general GW space, where it belongs.

0 Kudos

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

Upcoming Events

    CheckMates Events