Create a Post
cancel
Showing results for 
Search instead for 
Did you mean: 
HeikoAnkenbrand
Champion
Champion
Jump to solution

Disable Stateful Inspection

I had the emergency during an upgrade that I had to disable "Stateful Inspection" for TCP connetions (for a short time).
If you only want to turn this off for a short time, the best way to do this is on the gateways on the fly.

Attention:
If you do this, it can have a problematic security effect on the gateways.

Here are the three solutions:

1) Via SmartConsole --> more read here sk117374
     OutOfState.PNG


2) or on the Management Server via INSPECT code
     Add the folowing lines to the user.def and install the policy --> more read here: sk11088
     

     //
     // User defined INSPECT code
     //

     /* Start of INSPECT modification - sk11088 */
     net1={ <0.0.0.1, 239.255.255.255> };
     deffunc user_accept_non_syn() {((src in net1) or (dst in net1)) };

      /* End of INSPECT modification */

     #endif /* ifndef IPV6_FLAVOR */
     #endif /* ifndef __user_def__ */

3) or on the Gateway on the fly --> more read here sk117374

       expert mode#   fw ctl set int fw_allow_out_of_state_tcp 1

 

Attention:
Never ever forget to turn it back on.
(Thanks @_Val_, good comment from you.)




    
    
    


➜ CCSM Elite, CCME, CCTE
1 Solution

Accepted Solutions
Chris_Atkinson
Employee
Employee

sk11088 describes that very procedure (example above).

View solution in original post

9 Replies
_Val_
Admin
Admin

I miss big red disclamer at the end of this article saying:

Never ever forget to turn it back on

HeikoAnkenbrand
Champion
Champion

I still write that in the article 🙂


➜ CCSM Elite, CCME, CCTE
nevillekuo
Ambassador
Ambassador

Some of my customer turned it off for some reason even if only 1 internet connection(They just see so many out of state drop), if we still enabled all threat prevention functions what's the drawback if tcp syn check is turned off?

_Val_
Admin
Admin

Out of state drops usually indicate a routing issue and should not be just ignored. Disabling stateful is a severe security degradation.

nevillekuo
Ambassador
Ambassador

I understand, but it's hard to explain why encountered routing issue when only 1 internet connection, not just 2 or 3 customers, it's many, maybe we should consider sk11088 as a best solution for this.

_Val_
Admin
Admin

I disagree. You should override stateful ONLY if you investigated the situation properly and proved it is an application that is not respecting the TCP state. This is what sk11088 is about.

r1der
Collaborator

Is it possible to do this just for a certain destination and not the entire gateway? 
I'm reading multiple threads about the First packet isn't SYN. The TCP Flag is FIN-ACK (log card from Client --> Server).
I'm not able to determine if these drops I am seeing are causing the issue, we're seeing with timing out on a website.

We've already reached out to application support, who suggest taking a look at our firewall.

Thanks,

0 Kudos
Chris_Atkinson
Employee
Employee

sk11088 describes that very procedure (example above).

Jim_Holmes
Employee
Employee

There is a good chance it is not causing a noticeable problem. It is likely to be a scan if it is on an external interface. On an internal interface, it tends to point to a network problem (interface speed/duplex not matching is still what I see the most.) Of course, TAC is your best bet, but have the network folks in on it. It's a firewall problem until they find out a mouse ate the cable.

0 Kudos