Michael Halligan wrote: > This happens rather constantly with me, one out of every 5-10 web > requests gets dropped because of it. I'm still trying to diagnose if > it's my firewall or if it's my load balancer.. It's perculiar because my > setup is really simple, 2 firewalls in failover, two loadbalancers in > failover, and 4 webservers behind the loadbalancers.
I don't have the redundant firewall setup, but otherwise my config is similar. Are the states being maintained properly between the two firewalls? > The frustrating part was attempting to do just what Girard had > suggested, > and go through the management console to turn off tcp state filtering in > global properties.. It doesn't work, it does nothing basically.. That > was > confirmed by reading a book on checkpoint that was suggested on the > fw1-gurus list, so I had to manually do it with dbedit. Thanks > checkpoint. > Anyways, turning this off basically changed the dropped packet rate to > Be about 1 in 10-15 instead of one in 3-7, so it's "progress".. at least > now I'm getting dropped by a ruleset, instead of a cryptic and > undocumented "tcp out of state" problem. Are you sure these blocked packets shouldn't be blocked? I haven't heard of anyone having problems getting to my site since I deployed R55 on Saturday. I would have thought a customer would have called us up by now asking about a problem if a problem existed. Though I have a hard time believing theres really this many mis-configured TCP stacks out there that would cause all these errors. Hmm, do you find that the packets that are dropped are part of an existing connection? Ie, these aren't just scans with spoofed addresses or anything like that that your webservers are bouncing back? Yup, Checkpoint docs seem to be full of holes. > > At this point it seems like the firewall is seeing packets it shouldn't > be seeing, because when I watch in checkpoint tracker, every failed > attempt has a source address of the webserver, not the virtual interface > for my alteon, so I'm digging through the alteon conjfigus right now. Do you see this activity at all from clients out on the 'Net? I see just as many inbound as outbound. Hmm, that prompted me to check my logs a bit more and I see that my servers typically are sending outbound ACK packets (and FIN-ACK, RST, and PUSH-ACK), but the firewall blocks them because they don't have a match in the connection table. Sounds like the TCP timeout window is too low by default? ....................... Ian Neubert Director of IS TWAcomm.com, Inc. http://www.twacomm.com/ > -----Original Message----- > From: Mailing list for discussion of Firewall-1 > [mailto:[EMAIL PROTECTED] Behalf Of Michael > Halligan > Sent: Tuesday, April 13, 2004 11:37 AM > To: [EMAIL PROTECTED] > Subject: Re: [FW-1] TCP Packet out of state: First packet isn't SYN > > > This happens rather constantly with me, one out of every 5-10 web > requests gets dropped because of it. I'm still trying to diagnose if > it's my firewall or if it's my load balancer.. It's perculiar because my > setup is really simple, 2 firewalls in failover, two loadbalancers in > failover, and 4 webservers behind the loadbalancers. > > The frustrating part was attempting to do just what Girard had > suggested, > and go through the management console to turn off tcp state filtering in > global properties.. It doesn't work, it does nothing basically.. That > was > confirmed by reading a book on checkpoint that was suggested on the > fw1-gurus list, so I had to manually do it with dbedit. Thanks > checkpoint. > > Anyways, turning this off basically changed the dropped packet rate to > Be about 1 in 10-15 instead of one in 3-7, so it's "progress".. at least > now I'm getting dropped by a ruleset, instead of a cryptic and > undocumented "tcp out of state" problem. > > > At this point it seems like the firewall is seeing packets it shouldn't > be seeing, because when I watch in checkpoint tracker, every failed > attempt has a source address of the webserver, not the virtual interface > for my alteon, so I'm digging through the alteon conjfigus right now. > > > -----Original Message----- > From: Mailing list for discussion of Firewall-1 > [mailto:[EMAIL PROTECTED] On Behalf Of Ian > Neubert > Sent: Monday, April 12, 2004 6:09 PM > To: [EMAIL PROTECTED] > Subject: Re: [FW-1] TCP Packet out of state: First packet isn't SYN > > Girard Moussa wrote: > > These drops are due to the fact that the firewall is seeing Packets > that > > are not SYN packets. These might be SYN/ACK, ACK, or FIN packets and > the > > firewall cannot find any entry in the state table indicating that > there > > is an existing established connection for these packets. > > Is this something that happens often at your site? I get roughly 10 logs > about this every minute, on one of my /25's. It seems to have increased > since I moved from R54 to R55, but that may be in my head. > > ....................... > Ian Neubert > Director of IS > TWAcomm.com, Inc. > http://www.twacomm.com/ > > > -----Original Message----- > > From: Mailing list for discussion of Firewall-1 > > [mailto:[EMAIL PROTECTED] Behalf Of Girard > > Moussa > > Sent: Monday, April 12, 2004 5:55 PM > > To: [EMAIL PROTECTED] > > Subject: Re: [FW-1] TCP Packet out of state: First packet isn't SYN > > > > > > Michael, > > > > These drops are due to the fact that the firewall is seeing Packets > that > > are not SYN packets. These might be SYN/ACK, ACK, or FIN packets and > the > > firewall cannot find any entry in the state table indicating that > there > > is an existing established connection for these packets. You can turn > > off Packet out of state checking via the properties in R55, however, > > this is NOT recommended since most of the port and system scans out > > there (e.g. NMAP) depend on these methods to scan your network. In > your > > case, you should make sure that all your internet users are going > > through the firewall both for outgoing and incoming traffic (same > > firewall that is). I have seen some problems where some sites have > more > > than one internet connection and some users exit via one firewall and > > then the traffic comes in from another firewall that did not see the > > traffic in the initial session. > > > > In order to allow such packets to go through (and thus reduce your > > security level) go to Global Properties, Stateful Inspection and then > > remove the tick mark next to "Drop out of state TCP packets", install > > the policy. > > > > Best of luck. > > > > Regards, > > Girard Moussa > > > > -----Original Message----- > > From: Michael Halligan [mailto:[EMAIL PROTECTED] > > Sent: Tuesday, 13 April 2004 8:50 AM > > To: [EMAIL PROTECTED] > > Subject: [FW-1] TCP Packet out of state: First packet isn't SYN > > > > I'm getting dropped packets, not by my rule base. > > > > > > I'm running R55 FP4 on secureOS. The Errors are blocking seemingly > > random outgoing web packets. > > > > My searches online say this is a common problem, but nobody seems to > > have > > a working solution. > > > > ================================================= > > To set vacation, Out-Of-Office, or away messages, > > send an email to [EMAIL PROTECTED] > > in the BODY of the email add: > > set fw-1-mailinglist nomail > > ================================================= > > To unsubscribe from this mailing list, > > please see the instructions at > > http://www.checkpoint.com/services/mailing.html > > ================================================= > > If you have any questions on how to change your > > subscription options, email > > [EMAIL PROTECTED] > > ================================================= > > > > __________________________________________________________________ > > _____________________ > > This email (and attachements) may contain privileged / > > confidential information. > > If you are not the addressee (or responsible for delivery of > > this message) any use, > > forwarding, printing or copying of this email is strictly > > prohibited. In such case, you > > should destroy this message and kindly notify the sender. > > Opinions, conclusions > > and other information in this message that do not relate to the > > official business of > > Advance Vision Technology (Aust) Pty Ltd shall be understood as > > neither given > > nor endorsed by it. > > __________________________________________________________________ > > ______________________ > > > > ================================================= > > To set vacation, Out-Of-Office, or away messages, > > send an email to [EMAIL PROTECTED] > > in the BODY of the email add: > > set fw-1-mailinglist nomail > > ================================================= > > To unsubscribe from this mailing list, > > please see the instructions at > > http://www.checkpoint.com/services/mailing.html > > ================================================= > > If you have any questions on how to change your > > subscription options, email > > [EMAIL PROTECTED] > > ================================================= > > > > ================================================= > To set vacation, Out-Of-Office, or away messages, > send an email to [EMAIL PROTECTED] > in the BODY of the email add: > set fw-1-mailinglist nomail > ================================================= > To unsubscribe from this mailing list, > please see the instructions at > http://www.checkpoint.com/services/mailing.html > ================================================= > If you have any questions on how to change your > subscription options, email > [EMAIL PROTECTED] > ================================================= > > ================================================= > To set vacation, Out-Of-Office, or away messages, > send an email to [EMAIL PROTECTED] > in the BODY of the email add: > set fw-1-mailinglist nomail > ================================================= > To unsubscribe from this mailing list, > please see the instructions at > http://www.checkpoint.com/services/mailing.html > ================================================= > If you have any questions on how to change your > subscription options, email > [EMAIL PROTECTED] > ================================================= > ================================================= To set vacation, Out-Of-Office, or away messages, send an email to [EMAIL PROTECTED] in the BODY of the email add: set fw-1-mailinglist nomail ================================================= To unsubscribe from this mailing list, please see the instructions at http://www.checkpoint.com/services/mailing.html ================================================= If you have any questions on how to change your subscription options, email [EMAIL PROTECTED] =================================================
