- Products
- Learn
- Local User Groups
- Partners
- More
Are you a member of CheckMates?
×
Sign in with your Check Point UserCenter/PartnerMap account to access more great content and get a chance to win some Apple AirPods! If you don't have an account, create one now for free!
Hello,
I have come across a strange situation where my packets are both Accepted and Dropped at the same time. Can anyone help me determine what is the real outcome ?
Firewall Rule:
*Picture was unclear.Updated to clearly see policy has Drop*:
Output of the log:
Description of the event:
https Traffic Accepted from <USER NAME> (<username>)(<internal_ip>) to 2.17.117.112 due to TCP segment out of maximum allowed sequence. Packet dropped.
Knowing that i found the packet that is simultaneously both accepted and dropped - I will just leave this here for reference:
My mistake - the rule is configured to DROP but this was not clear in the first picture. I corrected.
Yet the logs say Rule 18, descriptions says Accepted. Protection says Dropped.
1. I am updating with more information. I have tested this signature on different setup, everything works. This means that the app "Coinhive" itself has no issue.
2. The rule on this particular SMS/vSEC Gateway has been deleted, policy installed. Re-created, policy installed again. The result is similar:
- Traffic is dropped as intended: ;[cpu_3];[fw4_0];fw_log_drop_ex: Packet proto=6 10.10.202.44:50534 -> 86.105.182.5:443 dropped by fw_send_log_drop Reason: Rulebase drop - on layer "Network" rule 18;
- There is no log of this happening. Looked historically and things went bad on the 3rd of March when i have the last Application Control log working for this:
- The bogus logs for SMTP Bypass and Accepted HTTPS dropped by Inspection were there all along.
- Example (rule numbe changes as i moved it around):
- For the SMTP bypass support claims it is sourced by sk120964. However i cannot get my head around why would this SMTP bypass log trail around my rule 18 every single time i create or delete it. Why doesn't it pop on rule 10 or 11 or 50?
- For HTTPS with Accept message and Dropped Description there is no explanation yet. I have checked and inspection settings according to SK66576 & SK114529 , that have been brought into discussion earlier are set to Drop and Log.
- There is no proper Inspection Setting Log and regarding this or i don;t yet know where i would see inspection setting logs, as they seem more part of the firewall rather than IPS starting R80.
Unrelated Note: The new interface for Check Mates makes editing a complicated mess. It was much better before. Hope it was worth it. I just noticed while trying to make this post. You can't even paste pictures anymore. Let alone "quote" text.
Makes me think it now looks awfully aligned with the new Support Interface. Not everything is supposed to be a feed, sometimes i would like to be able to track my cases by just scrolling down, not having replies in my SR's arranged by "relevance" and "likes". Somebody actually hired some PR/Marketing guys to keep shifting interfaces around?!
| User | Count |
|---|---|
| 12 | |
| 12 | |
| 9 | |
| 7 | |
| 6 | |
| 6 | |
| 5 | |
| 5 | |
| 5 | |
| 5 |
Tue 30 Sep 2025 @ 08:00 AM (EDT)
Tips and Tricks 2025 #13: Strategic Cyber Assessments: How to Strengthen Your Security PostureTue 07 Oct 2025 @ 10:00 AM (CEST)
Cloud Architect Series: AI-Powered API Security with CloudGuard WAFTue 30 Sep 2025 @ 08:00 AM (EDT)
Tips and Tricks 2025 #13: Strategic Cyber Assessments: How to Strengthen Your Security PostureThu 09 Oct 2025 @ 10:00 AM (CEST)
CheckMates Live BeLux: Discover How to Stop Data Leaks in GenAI Tools: Live Demo You Can’t Miss!Wed 22 Oct 2025 @ 11:00 AM (EDT)
Firewall Uptime, Reimagined: How AIOps Simplifies Operations and Prevents Outages