This website uses Cookies. Click Accept to agree to our website's cookie use as described in our Privacy Policy. Click Preferences to customize your cookie settings.
Accept
Reject
Preferences
ABOUT CHECKMATES CYBER SECURITY COMMUNITY & FAQ
Create a Post
Help
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

Are you a member of CheckMates?

×
Sign in with your Check Point UserCenter/PartnerMap account to access more great content and get a chance to win some Apple AirPods! If you don't have an account, create one now for free!
JorgenSpange
Contributor
‎2021-12-10 02:22 AM

RFC compliance drops

Hi,

We have an issue related to inspection settings and RFC-compliance.
Alot of traffic is dropped due to Out of sequence TCP packet retransmission and other tcp faults.
We've tried adding fw_reject_non_syn 1 to the kernel but without any luck.

For us this generates alot of incidents because traffic that should be accepted in the firewall, gets dropped. It's not easy to ask the users to reboot their services either at all times.
Therefore I'm looking for a solution where the packet is reject and not dropped, maybe this would help the faulty service to remediate itself. Or if there's other ways to solve this in a clean manner.

The last way out is obviously to add an exception for the traffic that has troubles, but don't want to do that as long as something is wrong with the traffic that is sent. It also seems that there is kinda random which traffic that gets impacted by this, so we would have to add a large exception for us not to handle exceptions case by case.

All help is much appreciated!

 

Br
Jørgen

0 Kudos
3 Replies
G_W_Albrecht
Legend Legend
Legend
‎2021-12-10 04:32 AM

I would rather suggest to ask TAC to analyze the issue - as it is a very general post you wrote, i do not think that someone could help without any more specific details 😎

CCSP - CCSE / CCTE / CTPS / CCME / CCSM Elite / SMB Specialist
JorgenSpange
Contributor
‎2021-12-10 04:48 AM
In response to G_W_Albrecht

Yeah - I guess the solution to this is general. We are experiencing alot of dropped traffic due to packet inspection and RFC-compliance. The reason for the traffic drops is positive - something is wrong with the traffic in regard to the RFC-standards and shall be dropped.

 

But how can we handle these kind of drops so that the issue is resolved and that the service starts working again. Today everything stops working until the server or client is rebooted.

0 Kudos
Timothy_Hall
Legend Legend
Legend
‎2021-12-10 07:07 AM

RFC compliance drops are usually enforced by the Inspection Settings which are part of the Access Control policy in R80+, which is what I assume you are talking about.

While some IPS Protections perform a Drop when they are triggered and others perform a Reject by sending a TCP RST or ICMP 3/13, this decision is made by Check Point when they create the signature and you aren't allowed to change it.  I would expect the same to be true for Inspection Settings which used to be part of IPS in R77.30 and earlier.  So your only current option is to either create an exception or set the entire protection to Detect; certain Inspection Settings cannot be set to Inactive at all as their purpose is inherent in the stateful inspection process.

TAC might have some secret workaround for this; you also should contact your Check Point SE and see if the Solutions Center has any custom code available that might do what you want.

Gateway Performance Optimization R81.20 Course
now available at maxpowerfirewalls.com
0 Kudos

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

View All ≫
Upcoming Events

    Sort by:
    CheckMates Events