This website uses Cookies. Click Accept to agree to our website's cookie use as described in our Privacy Policy. Click Preferences to customize your cookie settings.
Accept
Reject
Preferences
ABOUT CHECKMATES & FAQ
Create a Post
Help
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

Are you a member of CheckMates?

×
Sign in with your Check Point UserCenter/PartnerMap account to access more great content and get a chance to win some Apple AirPods! If you don't have an account, create one now for free!
ChoiYunSoo
Contributor
‎2023-08-18 01:53 AM

SMTP Packet Drop

Hi

 

Has anyone ever experienced SMTP sessions dropping?

 

After upgrading the customer's management server OS (R80.10 to R80.40) recently, we are experiencing SMTP packets being dropped.

What is unusual is that there were no policy or other option modifications, and the gateway remains at the original R80.10 version.

 

As a detailed symptom, the customer's firewall consists of only two interfaces.
And when I run tcpdump on the firewall, I see Syn packets on the inside interface, but I don't see packets going out on the outside interface.

I'm expecting the firewall to randomly drop packets.

 

Another peculiarity was that the service was normalized when the policy was installed without any modification on the management server.

So I'm thinking it's more likely a firewall and mail server or L4 managed session issue rather than policy or firewall logic.

 

Are there any settings that can affect firewall sessions in the R80.10 and R80.40 management servers? For example, such as the Inspection Setting part or Virtual Session timeout

 

PS

I want to execute the 'fw ctl zdebug + drop' command, but I am afraid that secondary problems will occur due to performance load, so I am not able to proceed.

Firewalls usually flow about 6 to 10 Gbps of traffic.

 

 

Thanks regards

 

0 Kudos
3 Replies
the_rock
Legend
Legend
‎2023-08-18 05:43 AM

You can safely run zdebug command, it definitely would not cause any load on the firewall. By the way, I also suspect something either with inspection settings or possibly IPS.

 

0 Kudos
ChoiYunSoo
Contributor
‎2023-09-08 02:20 AM
In response to the_rock

When migrating from R80.10 to 80.40, there are changes in the implied_rule.def and communicated.def files.

However, I am not sure if this was changed intentionally by someone or if the logic changed as the version changed.

 

0 Kudos
PhoneBoy
Admin
Admin
‎2023-08-18 06:45 AM

Keep in mind R80.10 is End of Support and R80.40 is about to be End of Support.
R81.20 is the current recommended release.

0 Kudos

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

View All ≫
Upcoming Events

    CheckMates Events