Create a Post
cancel
Showing results for 
Search instead for 
Did you mean: 
melcu
Explorer
Explorer

drop tcp bad checkum packets

Hello friends,

So I'm having a hard time trying to block bad tcp checksums. Here's the deal!  I have a FTP connection that transfers files from A to B. In the middle there's a Check Point firewall. From time to time some files get corrupted by bad checksums and mess a databases (as they are injected directly in some tables).

Tried to block it with Check Point using the Inspection Settings but after failed attempts I've opened a case. I was told that it works in conjunction with IPS. Well .. few weeks later here's IPS blade and threat prevention profile applied.

It doesn't give an 'octet' about my policy. FTP transfer gets bad checksums, files get corrupted, injected in database.  The funny part is that Fortinet blocks this by design , even without IPS activated.

So back to Check Point gateway, I have tried literally everything. I even wrote a small script that uses scapy and tried to generate bad checksum packets.  Other firewalls detects and block it.  Even tcpdump confirms they have bad checksums.

Checkpoint blocks other stuff like but not bad checksums.   By the way, IPS policy is set to strict and during a file transfer I intentionally injected some invalid checkum (0xFFFF).


Am I doing something wrong  here ?

0 Kudos
7 Replies
the_rock
Legend
Legend

Let me test this in the lab Sunday when my colleague and I have cutover for a customer. Will update you then. 

Have a nice weekend!

Andy

0 Kudos
Lesley
Leader Leader
Leader

Could this one maybe be related?

https://support.checkpoint.com/results/sk/sk180863

also are you using ftp handler on the protocol in the relevant rule? Just be sure it is plain unecrypted ftp right? 

-------
If you like this post please give a thumbs up(kudo)! 🙂
the_rock
Legend
Legend

Good point, definitely could be.

Andy

0 Kudos
Chris_Atkinson
Employee Employee
Employee

Is this a check point physical appliance or VM and which version?

Please share output: ethtool -k <interface>

CCSM R77/R80/ELITE
0 Kudos
melcu
Explorer
Explorer

So to get everything sorted:

 

- It's just a lame FTP transfer (tcp 21 and data on tcp22). Not encrypted, everything is clear. (not SFTP). The problem is that trafic is not blocked at all with bad tcp checksums, not that it's blocked by Bounce.

- It's hardware, 28600 in HA.  I will ask for ethtool ouput but I can assure you that it was not modified (as I've installed those gateways). By default linux kernel blocks tcp checksums.

 

Now explain the client that a Fortigate blockes by design (even out of the box, no nothing on it) and checkpoint with Threat Prevention rule and Inspection doesn't 🙂 I dare you to :))

0 Kudos
Chris_Atkinson
Employee Employee
Employee

Understand the frustration however we need more information in order to help, apologies if you've been around this loop with TAC already.

The two places I'm aware of that we would tackle something this are via the inspection settings and the NIC level hence the output & version info previously requested.

TCP invalid checksum.jpg

CCSM R77/R80/ELITE
0 Kudos
the_rock
Legend
Legend

I forgot to update today, due to long maintenance window I had to attend, but also checked the same in R82 lab and I agree, those are the right settings.

Andy

0 Kudos

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

Upcoming Events

    CheckMates Events