Hunting Malware Using Memory Forensics
Join us on June 26th at 5:00 PM CET
CheckMates Toolbox Contest 2024
Make Your Submission for a Chance to WIN up to $300 Gift Card!
Harmony Endpoint:
Packing a Punch in 2024
CPX 2024 Content
is Here!
Harmony SaaS
The most advanced prevention
for SaaS-based threats
CheckMates Go:
The Difference Is In The Details
Those captures when combined show both directions but they are for different TCP connections (source port numbers do not match) so the ability to determine what is wrong is limited. I need to see a single capture that has all the packets in both directions for a single connection. So I'll ask again: how are you taking this capture?
It looks like the SYN-ACK is reaching the gateway but being dropped for some reason; I don't see anything wrong with the SYN-ACK itself so it must be a stateful inspection thing that is dropping it. Search your logs for "out of state" drops or run fw ctl zdebug drop.
If this is a high volume transaction without sufficiently diverse source ports, it is possible the occasional failures could be due to source port reuse, see here: sk24960: "Smart Connection Reuse" feature modifies some SYN packets
I'm not willing to speculate further without a full capture of both directions for the same connection. Is this traffic subject to NAT?
About CheckMates
Learn Check Point
Advanced Learning
YOU DESERVE THE BEST SECURITY
