AnsweredAssumed Answered

Firewall State Table

Question asked by James Simmons on Jan 15, 2019
Latest reply on Jan 16, 2019 by Timothy Hall

I have a situation where I need affirmation on my thoughts. Here goes.

 

Setup:

Firewall Cluster - R77.30 - Open Server

Management Interface

External Interface

Internal Interface

Core Interface

Set up as a basic Firewall no other blade enabled.

Static Routes setup for Management Services....i.e NTP, AD, SMTP, Syslog via Management Interface. 

 

Situation: Traffic Originates from Internal interface and follows routes out Management Interface; however, when return traffic is observed via fwmonitor we see the Return traffic traverse the Core interface and then to Internal Interface where the originating server lives.

 

[vs_0][fw_3] Internal:i[52]: 192.168.231.93 -> 10.128.232.101 (TCP) len=52 id=21750
TCP: 62298 -> 49155 .S.... seq=c55bc946 ack=00000000
[vs_0][fw_3] Internal:I[52]: 192.168.231.93 -> 10.128.232.101 (TCP) len=52 id=21750
TCP: 62298 -> 49155 .S.... seq=c55bc946 ack=00000000
[vs_0][fw_3] Managment:o[52]: 192.168.231.93 -> 10.128.232.101 (TCP) len=52 id=21750
TCP: 62298 -> 49155 .S.... seq=c55bc946 ack=00000000
[vs_0][fw_3] Managment:O[52]: 192.168.231.93 -> 10.128.232.101 (TCP) len=52 id=21750
TCP: 62298 -> 49155 .S.... seq=c55bc946 ack=00000000
[vs_0][fw_3] Core:i[52]: 10.128.232.101 -> 192.168.231.93 (TCP) len=52 id=3954
TCP: 49155 -> 62298 .S..A. seq=6e88bb0b ack=c55bc947
[vs_0][fw_3] Core:I[52]: 10.128.232.101 -> 192.168.231.93 (TCP) len=52 id=3954
TCP: 49155 -> 62298 .S..A. seq=6e88bb0b ack=c55bc947
[vs_0][fw_3] Internal:o[52]: 10.128.232.101 -> 192.168.231.93 (TCP) len=52 id=3954
TCP: 49155 -> 62298 .S..A. seq=6e88bb0b ack=c55bc947
[vs_0][fw_3] Internal:O[52]: 10.128.232.101 -> 192.168.231.93 (TCP) len=52 id=3954

 

Question: Is normal Check Point State Synchronization? As long as the firewall has a SYN packet for the connection in the state table it doesn't matter if the SYNACK packet comes over a different interface. Is my thinking correct? Some people would say there should be an Out-of-State error, but my understanding that is only if the firewall receives a packet that doesn't not have a state/connection entry.

Outcomes