Risks for disabling "Drop out of state TCP packets"

May the 4th (+4)
Roadmap Session and Use Cases for
Cloud Security, SASE, and Email Security

SASE Masters:
Deploying Harmony SASE for a 6,000-Strong Workforce
in a Single Weekend

Paradigm Shifts: Adventures Unleashed!
Capture Your Adventure for a Chance to WIN!

Join the Photo Contest!

Mastering Compliance
Unveiling the power of Compliance Blade

WATCH NOW

CPX 2024 Content
is Here!

Get What You Need

Harmony SaaS
The most advanced prevention
for SaaS-based threats

LEARN MORE

CheckMates Go:
CPX 2024 Recap

LISTEN NOW

Create a Post

We've just started implementing CP gateways, starting at our corporate office. We experienced issues with an old LOB app at our remote locations app that essentially does a two-way handshake then just uses pushes to keep data going to the server here. No keepalives, no fin, just data sent as gathered, which is fairly intermittent.

This engendered a lot of drops at the firewall as the state aged out. This in turn made the remote app very unhappy, and it kept crashing.

We tried lengthening the session timeout and increasing the state timeout, to no avail. Finally, CP support suggested disabling the setting for dropping out of stat tcp packets.

This does solve the problem, but it seems that doing so disables state entirely - no way that we can see to limit it to specific subnets/addresses/ports/whatever.

Is that really the case, and if it is, what are our risks in doing so? This is making me just a tad uncomfortable, and any thoughts appreciated.

One thing I've thought about is to put up a small unit (RPi or similar) in the subnets where the remote app lives and in the subnet for the corp server, and make them gateways for this specific traffic, tunneled over IPSec. I think that would work, but I'm not technically savvy enough to be sure about that. If there are other suggestions to mitigate this, or if my concern about disabling state are out of proportion to the risk, I'd love to hear about it.

Thanks,

Kurt