Create a Post
cancel
Showing results for 
Search instead for 
Did you mean: 
JorgenSpange
Contributor

RFC compliance drops

Hi,

We have an issue related to inspection settings and RFC-compliance.
Alot of traffic is dropped due to Out of sequence TCP packet retransmission and other tcp faults.
We've tried adding fw_reject_non_syn 1 to the kernel but without any luck.

For us this generates alot of incidents because traffic that should be accepted in the firewall, gets dropped. It's not easy to ask the users to reboot their services either at all times.
Therefore I'm looking for a solution where the packet is reject and not dropped, maybe this would help the faulty service to remediate itself. Or if there's other ways to solve this in a clean manner.

The last way out is obviously to add an exception for the traffic that has troubles, but don't want to do that as long as something is wrong with the traffic that is sent. It also seems that there is kinda random which traffic that gets impacted by this, so we would have to add a large exception for us not to handle exceptions case by case.

All help is much appreciated!

 

Br
Jørgen

0 Kudos
3 Replies
G_W_Albrecht
Legend
Legend

I would rather suggest to ask TAC to analyze the issue - as it is a very general post you wrote, i do not think that someone could help without any more specific details 😎

CCSE CCTE SMB Specialist
JorgenSpange
Contributor

Yeah - I guess the solution to this is general. We are experiencing alot of dropped traffic due to packet inspection and RFC-compliance. The reason for the traffic drops is positive - something is wrong with the traffic in regard to the RFC-standards and shall be dropped.

 

But how can we handle these kind of drops so that the issue is resolved and that the service starts working again. Today everything stops working until the server or client is rebooted.

0 Kudos
Timothy_Hall
Champion
Champion

RFC compliance drops are usually enforced by the Inspection Settings which are part of the Access Control policy in R80+, which is what I assume you are talking about.

While some IPS Protections perform a Drop when they are triggered and others perform a Reject by sending a TCP RST or ICMP 3/13, this decision is made by Check Point when they create the signature and you aren't allowed to change it.  I would expect the same to be true for Inspection Settings which used to be part of IPS in R77.30 and earlier.  So your only current option is to either create an exception or set the entire protection to Detect; certain Inspection Settings cannot be set to Inactive at all as their purpose is inherent in the stateful inspection process.

TAC might have some secret workaround for this; you also should contact your Check Point SE and see if the Solutions Center has any custom code available that might do what you want.

New 2021 IPS/AV/ABOT Immersion Self-Guided Video Series
now available at http://www.maxpowerfirewalls.com
0 Kudos