RE: CheckPoint FW1 - unknown established TCP packet

[Cessna, Michael]

Title: RE: CheckPoint FW1 - unknown established TCP packet

You see this quite often with FW1. It also can be shown as a RULE 0 drop. This means that the Firewall has not received the TCP connection tuplet correctly. If your FW1 receives and syn/ack without the syn to start the connection the FW will drop the packet. Since FW1 uses state tables it checks the table when a syn/ack is received and because there is no entry for the connection (created when a syn is received to start a connection) the syn/ack is dropped because it is invalid.

Many tools can create these invalid packets. A FIN scan is a popular one. Download one of the ping tools and run it against your firewall to see what the logs show. NMAP is the best IMHO.

Hope this helps,
Mike

-----Original Message-----
From: Winway [mailto:[EMAIL PROTECTED]]
Sent: Tuesday, July 03, 2001 7:02 AM
To: [EMAIL PROTECTED]
Subject: CheckPoint FW1 - unknown established TCP packet

the only policy: any any accept
but the Log Viewer shows that there are still many packets dropped,and the info. column shows "reason: unknown established TCP packet".

who can tell me why? thanks.

Winway

?������?.���{&��?��]��,j�m������ɨh��&*���e�f��)��+-*���e�X��?i��?m?��l�v��?����??-�w����{