This website uses Cookies. Click Accept to agree to our website's cookie use as described in our Privacy Policy. Click Preferences to customize your cookie settings.
Accept
Reject
Preferences
ABOUT CHECKMATES & FAQ
Create a Post
Help
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

Are you a member of CheckMates?

×
Sign in with your Check Point UserCenter/PartnerMap account to access more great content and get a chance to win some Apple AirPods! If you don't have an account, create one now for free!
FrankXie
Participant
‎2022-10-17 12:51 PM
Jump to solution

Checkpoint anti-spoof and state inspection

Hello expert

 

Recently we noticed an issue in our network.

The communication between client and server cross 2 firewalls. I can see by log and packet capture TCP syn from client pass through and reach  server and server responded.

But server response TCP SYNACK dropped by first firewall anti spoofing module. (This looks like just triggered by recently upgrade from version 80.10 to 81.10) This raise a interesting discussion within our team. What is the process sequence of difference inspection module?

Here is my understanding, please correct me if I am wrong.

1, for the first packet

anti spoof first then access rules and hold state of connection, wait for syn ack

2, for the ack

Don't know how firewall handle this one

3, for the following traffic

Check session table first, if session is there, it bypass all other modules. Otherwise follow 1.

 

Can you please share some insight about this?

Thanks

Frank

0 Kudos
2 Solutions

Accepted Solutions
_Val_
Admin
Admin
‎2022-10-18 12:54 AM
Jump to solution

Check that you do not have an asymmetric routing situation after an upgrade. 

View solution in original post

0 Kudos
Timothy_Hall
Champion Champion
Champion
‎2022-10-19 07:11 AM
In response to FrankXie
Jump to solution

Assuming it is not manually disabled, anti-spoofing is always checked for all inbound packets regardless of connection state against whatever the anti-spoofing configuration is calling for on the inbound interface.  This next fact is not well known, but anti-spoofing is also applied against all traffic on the outbound interface by checking the routing table to make sure traffic is leaving the right way.  It is likely that at some point in the upgrade (SIC reestablishment maybe) a "Get Interfaces with Topology" happened, possibly before the firewall's Gaia OS routing table was fully or correctly populated, which this operation relies on heavily.

Fortunately since you are running R80.20+ your anti-spoofing configuration will be quite simple going forward:

1) On all interfaces defined as Internal, set the new "Network defined by routes" option.  No need to define byzantine groups of "specific" networks that will inevitably get screwed up at a future date leading to massive anti-spoofing drops of traffic.

2) Make sure your external interface is properly set

That's it.  If you are still experiencing anti-spoofing drops in the logs at that point, your routing table in the Gaia OS on the firewall is incorrect.  Period.  Full stop.

Gateway Performance Optimization R81.20 Course
now available at maxpowerfirewalls.com

View solution in original post

0 Kudos
7 Replies
emmap
Employee
Employee
‎2022-10-17 10:12 PM
Jump to solution

It would be similar, all packets must pass through anti-spoofing before we check for state etc. So in this case it seems like you need to check the anti-spoofing settings on the interface receiving the SYN-ACK.

0 Kudos
FrankXie
Participant
‎2022-10-18 02:40 PM
In response to emmap
Jump to solution

Though I think once session established, there's not necessary to check anti spoofing anymore. 

This only happens after upgrading, looks like behavior a little inconsistent between different version. (We have another dc with old version still running without problem.)

0 Kudos
emmap
Employee
Employee
‎2022-10-18 07:46 PM
In response to FrankXie
Jump to solution

If the SYN-ACK is being dropped, the session is not establishing. Pretty sure anti-spoofing is always checked, but given that packets have to pass both ways before a session can come up it already has to have been accepted both ways before the session is in the table anyway.

0 Kudos
Timothy_Hall
Champion Champion
Champion
‎2022-10-19 07:11 AM
In response to FrankXie
Jump to solution

Assuming it is not manually disabled, anti-spoofing is always checked for all inbound packets regardless of connection state against whatever the anti-spoofing configuration is calling for on the inbound interface.  This next fact is not well known, but anti-spoofing is also applied against all traffic on the outbound interface by checking the routing table to make sure traffic is leaving the right way.  It is likely that at some point in the upgrade (SIC reestablishment maybe) a "Get Interfaces with Topology" happened, possibly before the firewall's Gaia OS routing table was fully or correctly populated, which this operation relies on heavily.

Fortunately since you are running R80.20+ your anti-spoofing configuration will be quite simple going forward:

1) On all interfaces defined as Internal, set the new "Network defined by routes" option.  No need to define byzantine groups of "specific" networks that will inevitably get screwed up at a future date leading to massive anti-spoofing drops of traffic.

2) Make sure your external interface is properly set

That's it.  If you are still experiencing anti-spoofing drops in the logs at that point, your routing table in the Gaia OS on the firewall is incorrect.  Period.  Full stop.

Gateway Performance Optimization R81.20 Course
now available at maxpowerfirewalls.com
0 Kudos
FrankXie
Participant
‎2022-10-19 12:28 PM
In response to Timothy_Hall
Jump to solution

Thanks Tim

Yes I am new to Checkpoint.  That's all make sense. We do have specific group, maybe we change it to follow your suggestion. 

Frank

0 Kudos
_Val_
Admin
Admin
‎2022-10-18 12:54 AM
Jump to solution

Check that you do not have an asymmetric routing situation after an upgrade. 

0 Kudos
FrankXie
Participant
‎2022-10-18 02:37 PM
In response to _Val_
Jump to solution

Asymmetric usually dropped by checking session state with message like first packet not syn.

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

View All ≫
Upcoming Events

    Sort by:
    Virtual

    Tue 23 Apr 2024 @ 08:00 AM (CDT)

    South US: HTTPS Inspection Best Practices
    Virtual

    Tue 23 Apr 2024 @ 11:00 AM (EDT)

    East US: What's New in R82
    Virtual

    Thu 25 Apr 2024 @ 11:00 AM (SGT)

    APAC: CPX 2024 Recap

    Thu 25 Apr 2024 @ 10:00 AM (CEST)

    The Anatomy of a Cloud Hack by NotSoSecure - EMEA Session

    Thu 25 Apr 2024 @ 06:00 PM (IDT)

    The Anatomy of a Cloud Hack by NotSoSecure - America Session
    Virtual

    Tue 30 Apr 2024 @ 03:00 PM (CDT)

    EMEA: CPX 2024 Recap
    Virtual

    Tue 23 Apr 2024 @ 08:00 AM (CDT)

    South US: HTTPS Inspection Best Practices
    Virtual

    Tue 23 Apr 2024 @ 11:00 AM (EDT)

    East US: What's New in R82
    Virtual

    Thu 25 Apr 2024 @ 11:00 AM (SGT)

    APAC: CPX 2024 Recap
    Virtual

    Tue 30 Apr 2024 @ 03:00 PM (CDT)

    EMEA: CPX 2024 Recap
    Virtual

    Thu 02 May 2024 @ 11:00 AM (SGT)

    APAC: What's new in R82
    Virtual

    Thu 02 May 2024 @ 10:00 AM (CEST)

    CheckMates Live BeLux: How Can Check Point AI Copilot Assist You?
    CheckMates Events