Create a Post
cancel
Showing results for 
Search instead for 
Did you mean: 
Prashan_Attanay
Collaborator

Packets get drop

Jump to solution

what is the reason for happen this ?

;[cpu_2];[fw4_1];fw_log_drop_ex: Packet proto=6 x.x.x.x:30730 -> 10.2.200.50:80 dropped by fw_first_packet_state_checks Reason: First packet isn't SYN;
;[cpu_1];[fw4_2];fw_log_drop_ex: Packet proto=6 x.x.x.x:30731 -> 10.2.200.50:80 dropped by fw_first_packet_state_checks Reason: First packet isn't SYN;
;[cpu_1];[fw4_2];fw_log_drop_ex: Packet proto=6 y.y.y.y:37020 -> 10.2.200.50:80 dropped by fw_first_packet_state_checks Reason: First packet isn't SYN;
;[cpu_3];[fw4_0];fw_log_drop_ex: Packet proto=6 y.y.y.y:37021 -> 10.2.200.50:80 dropped by fw_first_packet_state_checks Reason: First packet isn't SYN;

1 Solution

Accepted Solutions
KennyManrique
Advisor

Stateful Inspection checks.

It means the first packet of a TCP session (proto=6) traversing the firewall isn't the syncronization packet (first of the three way handshake of TCP) so because of this, the firewall drops the packet.

By default, Check Point Firewall is configured to drop out of state TCP Packets (Global Properties -> Stateful Inspection->Drop Out of state TCP Packets is checked)

You can completely disable the TCP out of state drops:

  1. By unchecking the option on Stateful Inspection and installing policy
  2. By adding an exception to Drop out of state TCP on Stateful Inspection and selecting the Firewall (also requires install policy).
  3. Executing the following command on the gateway in expert mode to disable on the fly: "fw ctl set int fw_allow_out_of_state_tcp 1" (Does not survive a reboot) .

You can follow this sk as workaround for allowing out of state packets to some traffic only: SmartView Tracker shows multiple logs for dropped 'TCP out of state' packets with various ... 

Regards

View solution in original post

9 Replies
KennyManrique
Advisor

Stateful Inspection checks.

It means the first packet of a TCP session (proto=6) traversing the firewall isn't the syncronization packet (first of the three way handshake of TCP) so because of this, the firewall drops the packet.

By default, Check Point Firewall is configured to drop out of state TCP Packets (Global Properties -> Stateful Inspection->Drop Out of state TCP Packets is checked)

You can completely disable the TCP out of state drops:

  1. By unchecking the option on Stateful Inspection and installing policy
  2. By adding an exception to Drop out of state TCP on Stateful Inspection and selecting the Firewall (also requires install policy).
  3. Executing the following command on the gateway in expert mode to disable on the fly: "fw ctl set int fw_allow_out_of_state_tcp 1" (Does not survive a reboot) .

You can follow this sk as workaround for allowing out of state packets to some traffic only: SmartView Tracker shows multiple logs for dropped 'TCP out of state' packets with various ... 

Regards

View solution in original post

Prashan_Attanay
Collaborator

Thank you for your explanation 

0 Kudos
Reply
Sven_Glock
Advisor

Is it possible that "2." is not supported for vsx in R80.10?

0 Kudos
Reply
PhoneBoy
Admin
Admin

Not as far as I know.

What makes you think it isn't?

0 Kudos
Reply
Sven_Glock
Advisor

I tried it in an environment where only virtual systems are available.

Here I am not able to select a gateway when adding a new gateway to TCP Out of state exceptions...

0 Kudos
Reply
PhoneBoy
Admin
Admin

Oh, you're talking about exceptions, which, true, might not be supported on a VS. 

0 Kudos
Reply
Sven_Glock
Advisor

Good to know, thanks Dameon!

Is there an other way to disable stateful inspection on a single virtual system?

1. would impact other policies and 3. seems not to work with virtual systems, too.

PhoneBoy
Admin
Admin

You'll need to contact the TAC to see if you can get a hotfix for the following: Option to allow out of state packets per VS 

Sven_Glock
Advisor

Hey Dameon,

thanks for this advice.

I will check this out and keep you posted.

Thanks

Sven

0 Kudos
Reply