This website uses Cookies. Click Accept to agree to our website's cookie use as described in our Privacy Policy. Click Preferences to customize your cookie settings.
Accept
Reject
Preferences
ABOUT CHECKMATES CYBER SECURITY COMMUNITY & FAQ
Create a Post
Help
cancel
Turn on suggestions
Showing results for 
Search instead for 
Did you mean: 

Are you a member of CheckMates?

×
Sign in with your Check Point UserCenter/PartnerMap account to access more great content and get a chance to win some Apple AirPods! If you don't have an account, create one now for free!
alliki
Explorer
‎2022-11-25 05:13 AM

Packets get drop

Hi all, 

After running fw ctl zdebug + drop I am getting something like this: 

[cpu_1];[fw4_0];cphwd_notif_packet_dropped: recieved packet dropped notification, reason: Monitored Spoofed;
[cpu_1];[fw4_0];cphwd_notif_packet_dropped: notification holds a single drop;
;[cpu_0];[fw4_1];fw_log_drop_ex: Packet proto=6 ip -> ip:8080 dropped by fw_first_packet_state_checks Reason: First packet isn't SYN;
[cpu_1];[SIM-205643047];sim_pkt_send_drop_notification: (0,0) received drop, reason: Monitored Spoofed, conn: <.............>;
[cpu_1];[SIM-205643047];sim_pkt_send_drop_notification: sending packet dropped notification drop mode: 0 debug mode: 1 send as is: 0 track_lvl: -1, conn: <...................>;
[cpu_1];[SIM-205643047];sim_pkt_send_drop_notification: sending single drop notification, conn: <......>;
cpu_1];[fw4_0];cphwd_notif_packet_dropped: recieved packet dropped notification, reason: Monitored Spoofed;
[cpu_1];[fw4_0];cphwd_notif_packet_dropped: notification holds a single drop;

 

Any idea how to fix this or what caused the problem? 

0 Kudos
1 Reply
the_rock
Legend
Legend
‎2022-11-25 08:33 AM

Ok, lets start with basics...what is the exact issue and when did it happen? Did related traffic work for a long time before this? Lets assume affected IP addresses are 1.1.1.1 and 2.2.2.2...you can try something like below and see what you get. Usually, first packet isnt syn means something related to assymetric routing and connection not completing properly.

fw monitor -e "accept host(1.1.1.1) and host(2.2.2.2);"

fw monitor -e "accept host(1.1.1.1) or host(2.2.2.2);"

fw monitor -F '1.1.1.1,0,2.2.2.2,0,0' -F '2.2.2.2,0,1.1.1.1,0,0'  -> this is the idea...source IP, port, dst IP, port, protocol

fw ctl zdebug + drop | grep 1.1.1.1 | grep 2.2.2.2

Let us know if you can do those and send it over or if any info is private, just blur it out.

Cheers,

Andy

0 Kudos

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

View All ≫
Upcoming Events

    Sort by:
    CheckMates Events
    Top