This website uses Cookies. Click Accept to agree to our website's cookie use as described in our Privacy Policy. Click Preferences to customize your cookie settings.
Accept
Reject
Preferences
ABOUT CHECKMATES CYBER SECURITY COMMUNITY & FAQ
Create a Post
Help
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

Are you a member of CheckMates?

×
Sign in with your Check Point UserCenter/PartnerMap account to access more great content and get a chance to win some Apple AirPods! If you don't have an account, create one now for free!
Henrik_Noerr1
Advisor
‎2025-06-24 02:41 AM

broken tcp half-closed functionality

Hey,

We have general issues with the way Check Point deals with TCP Half-Closed timers.

Today Check Point as the only vendor I know of follow the general TCP timer for FIN_WAIT timers. So with default timers that that would be 3600s.

This brings an issue if for some reason the server does not reply to a FIN from the client, or the packet is lost somewhere.

Best seen in this diagram by Palo: https://docs.paloaltonetworks.com/pan-os/10-2/pan-os-networking-admin/session-settings-and-timeouts/...

So if a client sends a FIN through a firewall, it goes to "Source FIN" state - seen with ie "fwaccel conns" - but still with a 3600s timer. Only when and if it sees the server FIN ACK it goes to "Both FIN" with a 5s timeout by default.

Because Check Point holds the connection for an hour the risk of state errors is massive, specially for connections with a proxy, loadbalancer or other device with a lower timer. The Check Point firewall will see a SYN packet for a new connection, because all other devices have correctly aged out the connection. Waiting one hour for the last server FIN is exceedingly high. 

Palo uses 120s and allows individual configuration of tcp service easily.

Cisco ASA uses 600s and allows individual configuration of tcp service easily.

Forti uses 120s and allows individual configuration of tcp service easily.

So what can we do with Check Point? I can find sk137672

So we can set the timeout globally on a firewall, but only by actively maintaining a kernel paramater 😞 - and using the horrendous gui/dbedit tool - and remember to deviate from the Check Point default when creating new firewalls, migrating and upgrading. 

Alternatively the timer can be changed by changing the default tcp timer in SmartConsole for the service - which seems like a very weird decision - Why deviate from the agreed RFC timers to control the half closed timer?

All in all - I guess I have the solution - using kernel parameters and guidb - and meanwhile try to explain customers and management why we sometimes causes incidents, and why we spend more time maintaining this platform than others... I am simply advocating for Check Point to give us better options (and better defaults). Why not integrate this simply into the service object.

Rant out 🙂

Henrik

 

0 Kudos
2 Replies
G_W_Albrecht
Legend Legend
Legend
‎2025-06-24 04:01 AM

Maybe do a RFE ? 

sk71840: How to submit a Request for Enhancement (RFE)

CCSP - CCSE / CCTE / CTPS / CCME / CCSM Elite / SMB Specialist
PhoneBoy
Admin
Admin
‎2025-06-24 08:05 AM

Something that was discussed at CPX 2025 that's worth mentioning here: we're trying to eliminate the need to use expert mode.
This means things like kernel variables should be configurable from things that don't require expert mode.
It also means changes like this will persist across upgrades.

@Tomer_Noy I assume we are trying to eliminate the need for using guidbedit also?

0 Kudos

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

View All ≫
Upcoming Events

    Sort by:
    CheckMates Events