Who rated this post

Hello @PhoneBoy ,

Thank you so much for your reply and for appreciating my analysis! I’m @Chinmaya_Naik , so your feedback means a lot to me. I agree with your point about "trust but verify" and using tools like tcpdump, fw monitor, or Wireshark to double-check what the logs say. I’ll try running tcpdump to capture traffic on ports 1524 and 1525 to confirm that the URG flag is stripped but the traffic still goes through, as you suggested.

I also see the similarity with sk113479, where logs say "Connection terminated" due to insufficient data, even when it’s not a big problem. It’s great to know this is a known pattern, but I think it shows we need better logs to avoid confusion. While verifying with tools is a good practice, I believe Checkpoint could make things easier for beginners like me by improving the log messages.

For example, in my case, the log says "Traffic Dropped" for ports 1524 (Trinoo) and 1525 (sqlnet2-1525) when the firewall only strips the URG flag, not blocks the traffic. This made me worry that my apps were failing, and I spent a lot of time investigating. I still think changing "Drop" to "Traffic Warning" or "URG Flag Stripped Warning" would be clearer and match the "Informational" severity. This would help new users understand what’s happening without needing to run extra tools, saving time and reducing confusion.

I’d love to hear your thoughts on this improvement idea, and if other community members have seen similar issues with log wording. Thanks again for your guidance!

@Chinmaya_Naik