Search This Blog

Monday, October 15, 2007

firewall-wizards Digest, Vol 18, Issue 8

Send firewall-wizards mailing list submissions to
firewall-wizards@listserv.icsalabs.com

To subscribe or unsubscribe via the World Wide Web, visit
https://listserv.icsalabs.com/mailman/listinfo/firewall-wizards
or, via email, send a message with subject or body 'help' to
firewall-wizards-request@listserv.icsalabs.com

You can reach the person managing the list at
firewall-wizards-owner@listserv.icsalabs.com

When replying, please edit your Subject line so it is more specific
than "Re: Contents of firewall-wizards digest..."


Today's Topics:

1. Re: Checkpoint - Out of state packet (A. Dreyer)


----------------------------------------------------------------------

Message: 1
Date: Sat, 13 Oct 2007 11:31:59 +0100
From: "A. Dreyer" <ml10049@adreyer.com>
Subject: Re: [fw-wiz] Checkpoint - Out of state packet
To: Firewall Wizards Security Mailing List
<firewall-wizards@listserv.icsalabs.com>
Message-ID: <47109E9F.4000103@adreyer.com>
Content-Type: text/plain; charset=UTF-8

saudi sans wrote:
> We are having Nokia Checkpoint in load balancing mode.
>
> In the Checkpoint logs we get DROP packets messages "TCP packet out of
> state: First packet isn't SYN;".It looks like out-of-state packets are
> getting dropped. I am NOT worried about this.
>
> What is worrying is source IP of the packets is of the Firewall
> interface itself. The destination address/port is of the server
> protected by the Firewall.
>
> I am trying to investigate how can we get packets with source IP as
> Firewall interface.
>
> My doubts:
>
> 1. When Checkpoint encounters an out-of-state packet and DROP it, does
> it log the message with source-IP as of the Firewall.
>
> 2. Assuming the Firewall is configured properly, what are the other
> instances when we get DROP traffic logs with source-address as of the
> Firewall interface
>
>
> Am I totally on the wrong direction in this investigation?

Hi,

Have you checked that the cluster is in sync?
You could also try to run "fw ctl zdebug drop" on the GW module to see
if this gives you further info on the drop..

To get a better picture you might want to run a tcpdump on the GW with
"fw monitor -o $HOSTNAME.pcap" and have a look at it with wireshark this
can give you a clue where the packet came from.


Regards,
Achim


------------------------------

_______________________________________________
firewall-wizards mailing list
firewall-wizards@listserv.icsalabs.com
https://listserv.icsalabs.com/mailman/listinfo/firewall-wizards


End of firewall-wizards Digest, Vol 18, Issue 8
***********************************************

Posted by at

No comments:

Post a Comment

Subscribe to: Post Comments (Atom)