This website uses Cookies. Click Accept to agree to our website's cookie use as described in our Privacy Policy. Click Preferences to customize your cookie settings.
Accept
Reject
Preferences
ABOUT CHECKMATES CYBER SECURITY COMMUNITY & FAQ
Create a Post
Help
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

Are you a member of CheckMates?

×
Sign in with your Check Point UserCenter/PartnerMap account to access more great content and get a chance to win some Apple AirPods! If you don't have an account, create one now for free!
fewizz_
Explorer
Tuesday

Strangeness with UDP packets filtering by src port

Good day!

I have virtual CheckPoint - Open Server, SMS + SG R81.20 take 634 with Jumbo take 98 installed, with interfaces/topology:

image.png



Then I have 2 access rules (ignore first 2):
1. Drop, UDP service: dst port - 1-65535, src port - 5566
2. Accept, any

image.png
image.png

Example case:
Traffic is sent by host 1.0.0.2, consists of 10 UDP packets, src IP - 1.0.0.1X, dst IP - 2.0.0.2, src MACs are randomized, dst MAC is MAC of eth0; ports used for packets:
src port dst port
  3745      8823
  5566      8823
  2346      8899
  1026      7478
  5566      8899
  9328      8899
  5566      5478
  5566      8899
  1239      2348
  8345      8899

We expect that 4 packets should be dropped (with src port = 5566) and 6 packets should be accepted

In reality, sometimes first access rule (according to logs) drops other packets too. Amount of falsely dropped packets varies - from 0 (i.e., works as expected) to 4 (worst case yet)

image.png

Notes:
* Looks like it doesn't depend on Topology choosen for eth0 and eth1 (tried other variants)
* It works just fine if there are no repeating dst ports (like 8899 and 8823 in the example above)
* Doesn't look like sending those packets with time gap changes anything (tried from 1 ms to 1 s)

Question is - is this expected?
And if so, where can i learn why this happens?

Thank you.

0 Kudos
3 Replies
PhoneBoy
Admin
Admin
Tuesday

We track connections via five-tuple (IP protocol. Source IP, Source Port, Destination IP, destination port).
You are repeating the usage of source ports for both the source and destination in a short period of time, which means it looks like the same connection attempt.
These logs are suppressed per the "Excessive Log Grace Period" set in Global Properties.

image.png

This is expected behavior
In any case, you should be able to confirm with a tcpdump or similar the traffic is not getting through the firewall.

0 Kudos
fewizz_
Explorer
Tuesday
In response to PhoneBoy

Thank you for the response!

I should have clarified (sorry for that) that `X` in src IP 1.0.0.1X varies from 0 to 9 for all 10 packets,

i. e. there should be collisions no between five-tuples:

image.png

, so I don't think that `Excessive log grace period` option is related

And traffic is actually getting through (listening on 2.0.0.2):

image.png

Dropped packets:

image.png

Example of falsely dropped packet:

image.png

0 Kudos
PhoneBoy
Admin
Admin
yesterday
In response to fewizz_

I assume the reason this is happening is a bug of some sort.
Your best bet is to open a TAC case.

0 Kudos

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

View All ≫
Upcoming Events

    Sort by:
    CheckMates Events