Welcome to using M$ software through a firewall ;-) It depends on what the service is that's causing the problem. For some services (like the command port on FTP) you might be able to fix it by using a larger timeout value for the service, so long file transfers complete before the command channel times out at the default of 1 hour. Same for long database queries that don't send any data while waiting for the request to complete. Depending on your control of the devices involved, you might also be able to change the settings to send TCP keep-alives, so the connection passes data to keep it active in the state table without timing out. The defaults for Windows are usually too high, and I've set some to start sending a keep-alive packet every 15 minutes to keep it in the state table, which might work for you. The MS knowledge base has the registry changes to do that for your OS version if you're able to.
If you wind up chasing the timeout higher and higher, and trying to define too many services with large 24 hour timeouts and such, keep in mind the impact on the size of the state table for sessions that don't end cleanly, and will stick in the state table sucking up space for all that time before being cleared out. Long database queries with no keep-alives are a prime candidate for users to get frustrated after 5 minutes and just drop the connection and try again, leading to both a bloated memory state table on the firewall, and a DB server on it's knees looking up requests from users that aren't there to get the results anyway. Fixing the application problem (DB performance tuning), using keep-alives, or redesigning the architecture (where possible) are better ways to make it reliable than cranking up the timeout values or turning off checks for traffic not in the state table, which defeats a lot of what you installed that firewall in the first place for. -----Original Message----- From: Mailing list for discussion of Firewall-1 [mailto:[EMAIL PROTECTED] On Behalf Of Tucker, Fredrik M Sent: Thursday, February 09, 2006 15:06 To: [email protected] Subject: Re: [FW-1] drop out of state tcp? Exactly, the connection is timing out on the firewall before it times out at the endpoints and several sources I have found explain this common issue occurs from Microsoft's loose adherence to RFC793. However many explanations exist, I have yet to find an acceptable solution! The option doesn't exist for me to allow out of state TCP from specific hosts, only as a global setting. I've been told the problem needs to be approached differently but how? Thanks! fred -----Original Message----- From: Mailing list for discussion of Firewall-1 [mailto:[EMAIL PROTECTED] On Behalf Of Mark Senior Sent: Thursday, February 09, 2006 2:43 PM To: [email protected] Subject: Re: [FW-1] drop out of state tcp? If they really are violating TCP standards, i.e. sending unsolicited ACKs, then they won't be able to communicate anyway, as the other side won't have an allocated socket. A more likely explanation might be that the connection is timing out on the firewall before it times out at the endpoints. Then they start talking again, but the firewall's forgotten about the conversation. Regards Mark -----Original Message----- From: Mailing list for discussion of Firewall-1 [mailto:[EMAIL PROTECTED] On Behalf Of Tucker, Fredrik M Sent: 8 February, 2006 14:50 To: [email protected] Subject: [FW-1] drop out of state tcp? Checkpoint FW-1 NG R55 Is there a "more restrictive" alternative to un-checking "drop out of state TCP" in the Global Properties? Specifically dealing with a handful of Microsoft boxes on either side that seem to violate TCP standards. Can an exception be made per rule? More specifics: Dropped... TCP packet out of state; First packet isn't SYN; tcp_flags:ACK Thanks! ================================================= To set vacation, Out-Of-Office, or away messages, send an email to [EMAIL PROTECTED] in the BODY of the email add: set fw-1-mailinglist nomail ================================================= To unsubscribe from this mailing list, please see the instructions at http://www.checkpoint.com/services/mailing.html ================================================= If you have any questions on how to change your subscription options, email [EMAIL PROTECTED] ================================================= This email and any files transmitted with it are confidential and intended solely for the use of the individual or entity to whom they are addressed. If you have received this email in error please notify the system manager. This message contains confidential information and is intended only for the individual named. If you are not the named addressee you should not disseminate, distribute or copy this e-mail. ================================================= To set vacation, Out-Of-Office, or away messages, send an email to [EMAIL PROTECTED] in the BODY of the email add: set fw-1-mailinglist nomail ================================================= To unsubscribe from this mailing list, please see the instructions at http://www.checkpoint.com/services/mailing.html ================================================= If you have any questions on how to change your subscription options, email [EMAIL PROTECTED] ================================================= ================================================= To set vacation, Out-Of-Office, or away messages, send an email to [EMAIL PROTECTED] in the BODY of the email add: set fw-1-mailinglist nomail ================================================= To unsubscribe from this mailing list, please see the instructions at http://www.checkpoint.com/services/mailing.html ================================================= If you have any questions on how to change your subscription options, email [EMAIL PROTECTED] ================================================= ************************************************************************* The information contained in this communication is confidential, is intended only for the use of the recipient named above, and may be legally privileged. If the reader of this message is not the intended recipient, you are hereby notified that any dissemination, distribution or copying of this communication is strictly prohibited. If you have received this communication in error, please resend this communication to the sender and delete the original message or any copy of it from your computer system. Thank you. ************************************************************************* ================================================= To set vacation, Out-Of-Office, or away messages, send an email to [EMAIL PROTECTED] in the BODY of the email add: set fw-1-mailinglist nomail ================================================= To unsubscribe from this mailing list, please see the instructions at http://www.checkpoint.com/services/mailing.html ================================================= If you have any questions on how to change your subscription options, email [EMAIL PROTECTED] =================================================
