drop tcp bad checkum packets

melcu · ‎2024-11-22

Hello friends,

So I'm having a hard time trying to block bad tcp checksums. Here's the deal! I have a FTP connection that transfers files from A to B. In the middle there's a Check Point firewall. From time to time some files get corrupted by bad checksums and mess a databases (as they are injected directly in some tables).

Tried to block it with Check Point using the Inspection Settings but after failed attempts I've opened a case. I was told that it works in conjunction with IPS. Well .. few weeks later here's IPS blade and threat prevention profile applied.

It doesn't give an 'octet' about my policy. FTP transfer gets bad checksums, files get corrupted, injected in database. The funny part is that Fortinet blocks this by design , even without IPS activated.

So back to Check Point gateway, I have tried literally everything. I even wrote a small script that uses scapy and tried to generate bad checksum packets. Other firewalls detects and block it. Even tcpdump confirms they have bad checksums.

Checkpoint blocks other stuff like but not bad checksums. By the way, IPS policy is set to strict and during a file transfer I intentionally injected some invalid checkum (0xFFFF).

Am I doing something wrong here ?

the_rock · ‎2024-11-22

Let me test this in the lab Sunday when my colleague and I have cutover for a customer. Will update you then.

Have a nice weekend!

Andy

Best,
Andy

Lesley · ‎2024-11-22

Could this one maybe be related?

https://support.checkpoint.com/results/sk/sk180863

also are you using ftp handler on the protocol in the relevant rule? Just be sure it is plain unecrypted ftp right?

-------
Please press "Accept as Solution" if my post solved it 🙂

the_rock · ‎2024-11-22

Good point, definitely could be.

Andy

Best,
Andy

Chris_Atkinson · ‎2024-11-22

Is this a check point physical appliance or VM and which version?

Please share output: ethtool -k <interface>

CCSM R77/R80/ELITE

melcu · ‎2024-11-24

So to get everything sorted:

- It's just a lame FTP transfer (tcp 21 and data on tcp22). Not encrypted, everything is clear. (not SFTP). The problem is that trafic is not blocked at all with bad tcp checksums, not that it's blocked by Bounce.

- It's hardware, 28600 in HA. I will ask for ethtool ouput but I can assure you that it was not modified (as I've installed those gateways). By default linux kernel blocks tcp checksums.

Now explain the client that a Fortigate blockes by design (even out of the box, no nothing on it) and checkpoint with Threat Prevention rule and Inspection doesn't 🙂 I dare you to :))

Chris_Atkinson · ‎2024-11-24

Understand the frustration however we need more information in order to help, apologies if you've been around this loop with TAC already.

The two places I'm aware of that we would tackle something this are via the inspection settings and the NIC level hence the output & version info previously requested.

CCSM R77/R80/ELITE

the_rock · ‎2024-11-24

I forgot to update today, due to long maintenance window I had to attend, but also checked the same in R82 lab and I agree, those are the right settings.

Andy

Best,
Andy

Are you a member of CheckMates?

drop tcp bad checkum packets