This website uses Cookies. Click Accept to agree to our website's cookie use as described in our Privacy Policy. Click Preferences to customize your cookie settings.
Accept
Reject
Preferences
ABOUT CHECKMATES CYBER SECURITY COMMUNITY & FAQ
Create a Post
Help
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

Are you a member of CheckMates?

×
Sign in with your Check Point UserCenter/PartnerMap account to access more great content and get a chance to win some Apple AirPods! If you don't have an account, create one now for free!
Prashan_Attanay
Collaborator
‎2017-10-18 12:41 AM
Jump to solution

Packets get drop

what is the reason for happen this ?

;[cpu_2];[fw4_1];fw_log_drop_ex: Packet proto=6 x.x.x.x:30730 -> 10.2.200.50:80 dropped by fw_first_packet_state_checks Reason: First packet isn't SYN;
;[cpu_1];[fw4_2];fw_log_drop_ex: Packet proto=6 x.x.x.x:30731 -> 10.2.200.50:80 dropped by fw_first_packet_state_checks Reason: First packet isn't SYN;
;[cpu_1];[fw4_2];fw_log_drop_ex: Packet proto=6 y.y.y.y:37020 -> 10.2.200.50:80 dropped by fw_first_packet_state_checks Reason: First packet isn't SYN;
;[cpu_3];[fw4_0];fw_log_drop_ex: Packet proto=6 y.y.y.y:37021 -> 10.2.200.50:80 dropped by fw_first_packet_state_checks Reason: First packet isn't SYN;

1 Solution

Accepted Solutions
KennyManrique
Advisor
‎2017-10-18 02:55 PM
Jump to solution

Stateful Inspection checks.

It means the first packet of a TCP session (proto=6) traversing the firewall isn't the syncronization packet (first of the three way handshake of TCP) so because of this, the firewall drops the packet.

By default, Check Point Firewall is configured to drop out of state TCP Packets (Global Properties -> Stateful Inspection->Drop Out of state TCP Packets is checked)

You can completely disable the TCP out of state drops:

  1. By unchecking the option on Stateful Inspection and installing policy
  2. By adding an exception to Drop out of state TCP on Stateful Inspection and selecting the Firewall (also requires install policy).
  3. Executing the following command on the gateway in expert mode to disable on the fly: "fw ctl set int fw_allow_out_of_state_tcp 1" (Does not survive a reboot) .

You can follow this sk as workaround for allowing out of state packets to some traffic only: SmartView Tracker shows multiple logs for dropped 'TCP out of state' packets with various ... 

Regards

View solution in original post

9 Replies
KennyManrique
Advisor
‎2017-10-18 02:55 PM
Jump to solution

Stateful Inspection checks.

It means the first packet of a TCP session (proto=6) traversing the firewall isn't the syncronization packet (first of the three way handshake of TCP) so because of this, the firewall drops the packet.

By default, Check Point Firewall is configured to drop out of state TCP Packets (Global Properties -> Stateful Inspection->Drop Out of state TCP Packets is checked)

You can completely disable the TCP out of state drops:

  1. By unchecking the option on Stateful Inspection and installing policy
  2. By adding an exception to Drop out of state TCP on Stateful Inspection and selecting the Firewall (also requires install policy).
  3. Executing the following command on the gateway in expert mode to disable on the fly: "fw ctl set int fw_allow_out_of_state_tcp 1" (Does not survive a reboot) .

You can follow this sk as workaround for allowing out of state packets to some traffic only: SmartView Tracker shows multiple logs for dropped 'TCP out of state' packets with various ... 

Regards

Prashan_Attanay
Collaborator
‎2017-10-20 01:14 PM
In response to KennyManrique
Jump to solution

Thank you for your explanation 

0 Kudos
Sven_Glock
Advisor
‎2018-08-03 09:59 AM
Jump to solution

Is it possible that "2." is not supported for vsx in R80.10?

0 Kudos
PhoneBoy
Admin
Admin
‎2018-08-03 10:20 AM
In response to Sven_Glock
Jump to solution

Not as far as I know.

What makes you think it isn't?

0 Kudos
Sven_Glock
Advisor
‎2018-08-03 10:26 AM
In response to PhoneBoy
Jump to solution

I tried it in an environment where only virtual systems are available.

Here I am not able to select a gateway when adding a new gateway to TCP Out of state exceptions...

0 Kudos
PhoneBoy
Admin
Admin
‎2018-08-03 10:38 AM
In response to Sven_Glock
Jump to solution

Oh, you're talking about exceptions, which, true, might not be supported on a VS. 

0 Kudos
Sven_Glock
Advisor
‎2018-08-05 12:10 AM
In response to PhoneBoy
Jump to solution

Good to know, thanks Dameon!

Is there an other way to disable stateful inspection on a single virtual system?

1. would impact other policies and 3. seems not to work with virtual systems, too.

PhoneBoy
Admin
Admin
‎2018-08-13 07:26 PM
In response to Sven_Glock
Jump to solution

You'll need to contact the TAC to see if you can get a hotfix for the following: Option to allow out of state packets per VS 

Sven_Glock
Advisor
‎2018-08-13 10:27 PM
In response to PhoneBoy
Jump to solution

Hey Dameon,

thanks for this advice.

I will check this out and keep you posted.

Thanks

Sven

0 Kudos

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

View All ≫
Upcoming Events

    CheckMates Events