This website uses Cookies. Click Accept to agree to our website's cookie use as described in our Privacy Policy. Click Preferences to customize your cookie settings.
Accept
Reject
Preferences
ABOUT CHECKMATES CYBER SECURITY COMMUNITY & FAQ
Create a Post
Help
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

Are you a member of CheckMates?

×
Sign in with your Check Point UserCenter/PartnerMap account to access more great content and get a chance to win some Apple AirPods! If you don't have an account, create one now for free!
melcu
Explorer
Explorer
5 hours ago

drop tcp bad checkum packets

Hello friends,

So I'm having a hard time trying to block bad tcp checksums. Here's the deal!  I have a FTP connection that transfers files from A to B. In the middle there's a Check Point firewall. From time to time some files get corrupted by bad checksums and mess a databases (as they are injected directly in some tables).

Tried to block it with Check Point using the Inspection Settings but after failed attempts I've opened a case. I was told that it works in conjunction with IPS. Well .. few weeks later here's IPS blade and threat prevention profile applied.

It doesn't give an 'octet' about my policy. FTP transfer gets bad checksums, files get corrupted, injected in database.  The funny part is that Fortinet blocks this by design , even without IPS activated.

So back to Check Point gateway, I have tried literally everything. I even wrote a small script that uses scapy and tried to generate bad checksum packets.  Other firewalls detects and block it.  Even tcpdump confirms they have bad checksums.

Checkpoint blocks other stuff like but not bad checksums.   By the way, IPS policy is set to strict and during a file transfer I intentionally injected some invalid checkum (0xFFFF).


Am I doing something wrong  here ?

Labels
0 Kudos
4 Replies
the_rock
Legend
Legend
2 hours ago

Let me test this in the lab Sunday when my colleague and I have cutover for a customer. Will update you then. 

Have a nice weekend!

Andy

0 Kudos
Lesley
Leader Leader
Leader
2 hours ago

Could this one maybe be related?

https://support.checkpoint.com/results/sk/sk180863

also are you using ftp handler on the protocol in the relevant rule? Just be sure it is plain unecrypted ftp right? 

-------
If you like this post please give a thumbs up(kudo)! 🙂
the_rock
Legend
Legend
54m ago
In response to Lesley

Good point, definitely could be.

Andy

0 Kudos
Chris_Atkinson
Employee Employee
Employee
2 hours ago

Is this a check point physical appliance or VM and which version?

Please share output: ethtool -k interface

CCSM R77/R80/ELITE
0 Kudos

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

View All ≫
Upcoming Events

    Sort by:
    CheckMates Events