This website uses Cookies. Click Accept to agree to our website's cookie use as described in our Privacy Policy. Click Preferences to customize your cookie settings.
Accept
Reject
Preferences
ABOUT CHECKMATES CYBER SECURITY COMMUNITY & FAQ
Create a Post
Help
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

Are you a member of CheckMates?

×
Sign in with your Check Point UserCenter/PartnerMap account to access more great content and get a chance to win some Apple AirPods! If you don't have an account, create one now for free!
minhhaivietnam
Collaborator
‎2019-10-22 01:30 AM

Packet replying does not match initial connection (R80.10)

Hello ,

I have a problem about checkpoint R80.10 like this:

I create a rule like below:

From IP_SOURCE to IP_DST, service : TCP_8082

pic1.png

 

But when I search log drop from DST to SRC, I saw that replying packet get dropped because CP does not see it as a replying packet; (Checkpoint think this is new connection from DST to SRC and simply drop it by cleanup rule)

pic2.png

 

So please let me know why or any step to troubleshoot it?

Thank a lot!!

 

0 Kudos
7 Replies
Timothy_Hall
MVP Gold
MVP Gold
‎2019-10-22 06:49 AM

The firewall is dropping this reply probably because it has no record of it in the state table. 

For the screenshot you provided, can you find the earlier log entry for this particular connection showing when the connection started (Accept action)?  Source port will be 36366 and destination port will be 8082 for the connection start.  To get more visibility into how these connections are starting and ending enable Accounting on the rule in the Track column which will show you how long the connection lasted and when it ended, standard logging of a connection only shows when the connection started. 

For even more info about connection state transitions see sk101221: TCP state logging.

 

Gaia 4.18 (R82) Immersion Tips, Tricks, & Best Practices Video Course
Now Available at https://shadowpeak.com/gaia4-18-immersion-course
minhhaivietnam
Collaborator
‎2019-10-22 06:49 PM
In response to Timothy_Hall

Thank for reply Hall,

I search log from SRC to DST with port 8082,36366 

allow.png

=> see that the time is same as the time of dropped packet of replying direction(1:46:53PM) . So maybe the initial connection was closed right after it was established, then replying packet was dropped because of no connection exist. 

=> Do you agree with my guess?

 

 

0 Kudos
Matthias_Haas
Advisor
‎2019-10-23 12:29 AM
In response to minhhaivietnam

the logs are from two different FWs: DC-Internet-Fw-01 and  DC-Internet-Fw-02

may be Async Routing, misconfigured VRRP etc.

minhhaivietnam
Collaborator
‎2019-10-23 01:30 AM
In response to Matthias_Haas

Thanks Haas,

In my situation, 2 FWs are cluster with each other(using load sharing mode). How can I adjust for replying packet to go through DC-Internet-Fw-02 (same as intial direction) ?

or any solutions for this dropping?

(Now I am having to add a explicit rule to allow replying packet (from DST to SRC , service: tcp-high-port))

Thanks!!

 

 

 

0 Kudos
Matthias_Haas
Advisor
‎2019-10-23 02:24 AM
In response to minhhaivietnam

just curious: is the packet droped because of "out of state" or just by the cleanup rule ?

or did you disable to drop out of state packets:

 

out-of-state.png

0 Kudos
minhhaivietnam
Collaborator
‎2019-10-23 02:49 AM
In response to Matthias_Haas

Hi,

It is dropped by cleanup rule (as pic in #1 my post)

Here is my screen (already disable drop out of state)

global.png

 

 

0 Kudos
Benedikt_Weissl
Advisor
‎2019-10-23 07:02 AM
In response to minhhaivietnam

You can enable the Sticky Decision Function, but be careful, this will disable SecureXL.

0 Kudos

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

View All ≫
Upcoming Events

    CheckMates Events