Create a Post
Showing results for 
Search instead for 
Did you mean: 

Monitor mode and out of state traffic

Hi all,

As part of the global move to secure internal networks, my customer requires all of his internal network traffic to go through a firewall.
Before we get to setup an actual firewall and take over routing, we need to get a better overview of VLAN to VLAN traffic, and get some numbers to help with sizing.
To that effect, among other things, I've been running an open server Check Point firewall in monitor mode for the last few days.
All of the site's traffic, currently handled by the 2 core "brouters", is now mirrored to two 10G monitor ports on the open server firewall.
This is working pretty well, and I started building a policy, watching what ends up in the cleanup rule and adding new rules above.

Now the problem is I get a lot of log entries with reversed source and destination, i.e. with incorrect TCP/UDP session state.

This is likely due to the packet capture on the routers: traffic captured on various ports is not guaranted to be reunited in-order.
I looked for guidance on how to deal with that situation in every Check Point resource I could find, with no solution so far.
sk101670 has instructions for "better process(ing of) packets that arrive in the wrong/not normal order", but it's for a multiqueue-specific issue, while MQ is not even available on my old NetXen NIC.
I enabled fw_tap_enable and psl_tap_enable anyway, but not sure it's really helping, except that being out-of-state is not causing packets to be "dropped" (well, it's monitor mode, so everything is actually ignored/dropped of course).

This is not a big deal, I'm not running an actual firewall yet, but I still wish I could show up a clean "working" policy to my customer before he even gets to buy the real thing, for the wow effect.

Is this out of order issue something to expect when running in monitor mode?
Is there something I can do about it?

0 Kudos
2 Replies

Even my gut feeling is if you could put the traffic from your firewall if there is no asynchronous traffic passing through switch or router then checkpoint will not drop the traffic. Again it all depends if you have enforced anti spoofing on each checkpoint interfaces.  If in the worst case the issues arises then fw monitor will be your savior to identify the ingress and egress interfaces and identify issues accordingly.

Thanks and Regards,
Blason R
0 Kudos

Sure, I'm not worried about what will happen once I move to real firewalls and take over routing.
This is obviously an issue with current network architecture, port mirroring and monitor mode.

0 Kudos


Epsum factorial non deposit quid pro quo hic escorol.

Upcoming Events

    CheckMates Events