As part of the global move to secure internal networks, my customer requires all of his internal network traffic to go through a firewall.
Before we get to setup an actual firewall and take over routing, we need to get a better overview of VLAN to VLAN traffic, and get some numbers to help with sizing.
To that effect, among other things, I've been running an open server Check Point firewall in monitor mode for the last few days.
All of the site's traffic, currently handled by the 2 core "brouters", is now mirrored to two 10G monitor ports on the open server firewall.
This is working pretty well, and I started building a policy, watching what ends up in the cleanup rule and adding new rules above.
Now the problem is I get a lot of log entries with reversed source and destination, i.e. with incorrect TCP/UDP session state.
This is likely due to the packet capture on the routers: traffic captured on various ports is not guaranted to be reunited in-order.
I looked for guidance on how to deal with that situation in every Check Point resource I could find, with no solution so far.
sk101670 has instructions for "better process(ing of) packets that arrive in the wrong/not normal order", but it's for a multiqueue-specific issue, while MQ is not even available on my old NetXen NIC.
I enabled fw_tap_enable and psl_tap_enable anyway, but not sure it's really helping, except that being out-of-state is not causing packets to be "dropped" (well, it's monitor mode, so everything is actually ignored/dropped of course).
This is not a big deal, I'm not running an actual firewall yet, but I still wish I could show up a clean "working" policy to my customer before he even gets to buy the real thing, for the wow effect.
Is this out of order issue something to expect when running in monitor mode?
Is there something I can do about it?