This website uses Cookies. Click Accept to agree to our website's cookie use as described in our Privacy Policy. Click Preferences to customize your cookie settings.
Accept
Reject
Preferences
ABOUT CHECKMATES & FAQ
Create a Post
Help
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

Are you a member of CheckMates?

×
Sign in with your Check Point UserCenter/PartnerMap account to access more great content and get a chance to win some Apple AirPods! If you don't have an account, create one now for free!
umar7
Contributor
‎2023-01-20 12:50 AM

first tcp syn packet is failed

 
0 Kudos
10 Replies
Chris_Atkinson
Employee Employee
Employee
‎2023-01-20 01:30 AM

Which versions/ JHF is the system in question?

Generally speaking this topic has been covered extensively here previously even including recent hotfixes / half-closed timer settings for similar

CCSM R77/R80/ELITE
0 Kudos
G_W_Albrecht
Legend
Legend
‎2023-01-20 02:40 AM

I would consult TAC as this is VSX  and First packet isn't syn rather sounds like a config error !

See sk117374:

It is possible to override the "Out of State" settings in the Global Properties on the Security Gateway by changing the values of the relevant kernel parameters on-the-fly.

The above procedure is only temporary and will not survive a reboot, restart of Check Point services (cpstop;cpstart, or cprestart), or policy installation.

While it is possible to make this setting permanent, this is strongly disapproved ! Why ? You will only cover an error in configuration that better is generally fixed, and sk117374 adds:

The implications of changing the TCP and ICMP out of state inspection settings should be fully understood before altering them.

CCSE CCTE CCSM SMB Specialist
0 Kudos
the_rock
Legend
Legend
‎2023-01-20 06:37 AM

I agree with @G_W_Albrecht , probably better to consult with TAC as its VSX.

0 Kudos
PhoneBoy
Admin
Admin
‎2023-01-20 11:50 AM

You're making a change in a way that is not persistent.
You can disable it for a specific VS (or gateway) using: https://supportcenter.checkpoint.com/supportcenter/portal?eventSubmit_doGoviewsolutiondetails=&solut...

As noted here, this is generally not recommended and has some security implications.
It's better to configure a specific exception (versus disabling this globally for the gateway) using this procedure: https://supportcenter.checkpoint.com/supportcenter/portal?eventSubmit_doGoviewsolutiondetails=&solut... 

0 Kudos
umar7
Contributor
‎2023-01-24 10:57 PM
In response to PhoneBoy

thanks for the responce guys

 

0 Kudos
G_W_Albrecht
Legend
Legend
‎2023-02-08 05:27 AM

Did you contact TAC or how did you proceed after the discussion here ?

CCSE CCTE CCSM SMB Specialist
0 Kudos
umar7
Contributor
‎2023-02-08 05:37 AM
In response to G_W_Albrecht

hello @G_W_Albrecht ,

i have created the checkpoint TAC case we are working on it.

the_rock
Legend
Legend
‎2023-02-08 06:05 AM
In response to umar7

Hey @umar7 , just wondering, did you put the value in $FWDIR/boot/modules/fwkern.conf file and save, as that makes it permanent even after reboot.

https://sc1.checkpoint.com/documents/R81/WebAdminGuides/EN/CP_R81_CLI_ReferenceGuide/Topics-CLIG/Ker...

 

0 Kudos
G_W_Albrecht
Legend
Legend
‎2023-02-08 06:21 AM
In response to the_rock

I hope he did not do that - the security implications would make this a solution for LAB only...

CCSE CCTE CCSM SMB Specialist
0 Kudos
the_rock
Legend
Legend
‎2023-02-08 06:23 AM
In response to G_W_Albrecht

I agree. The only reason I said that is because @umar7 mentioned the setting keeps reverting back, so change I mentioned would make it permanent. The issue should be fixed so packets out of state are indeed dropped, as they should be.

0 Kudos

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

View All ≫
Upcoming Events

    CheckMates Events