Carl,
I have set my TCP session timeout to 900 s in order to reduce the
chances for DoS attack.
We have users which connects to a system protected by the firewall
either via Internet or private leased lines (terrestrial or VSAT).
What I can tell is that the firewall became more sensitive to those
connections where there is a high degree of packet loss. So you might
experience this problem, too.
I have to admit that I am pretty bothered by the number of dropped
packets because of this.
Cristian
"Carl E. Mankinen" wrote:
>
> If you follow Ilya's link to security portal, you will see a thread that
> pretty much exactly describes what I am seeing. I suspect this is a problem
> in SP2. (or perhaps some default is a bit too sensitive)
>
> My TCP session timeout is quite high in my opinion, and I suspect that the
> firewall is much more sensitive to delays in TCP sessions now. Seem's like
> enough people are seeing the same symptoms as I am.
>
> I don't think it's part of any kind of scan because I have IDS running and
> it's pretty obvious when people are even using an nmap stealth scan. It
> looks more like parts of valid conversations based on the src/dest and
> services.
>
> I am about to heat up an Internet connection via this firewall for a fortune
> 500 company and there will be something around 600 users actually using this
> firewall. I *really* don't want to start seeing sessions getting dropped all
> over the place.
>
> -----Original Message-----
> From: [EMAIL PROTECTED]
> [mailto:[EMAIL PROTECTED]]On Behalf Of
> Craig Skelton
> Sent: Saturday, September 30, 2000 9:53 PM
> To: Carl E. Mankinen; Cristian Nicolae
> Cc: [EMAIL PROTECTED]
> Subject: RE: [FW1] unknown established tcp packets...
>
> Send us a sample.. probably a scan of sorts. Maybe some os fingerprinting.
> High numbers over long periods would definately concern me. Valid source
> address? NT firewall?
>
> > -----Original Message-----
> > From: [EMAIL PROTECTED]
> > [mailto:[EMAIL PROTECTED]]On Behalf Of Carl
> > E. Mankinen
> > Sent: Saturday, September 30, 2000 2:19 PM
> > To: Cristian Nicolae
> > Cc: [EMAIL PROTECTED]
> > Subject: RE: [FW1] unknown established tcp packets...
> >
> >
> >
> > Yeah, I know that these are because there is no state table entry for the
> > TCP session,
> > and I know how to make these dropped packet messages go into the
> > bit bucket,
> > but that
> > was not really what I was asking....
> >
> > I was more interested if having a high number of these is normal or a
> > symptom of a problem.
> >
> >
> > -----Original Message-----
> > From: root [mailto:root]On Behalf Of Cristian Nicolae
> > Sent: Saturday, September 30, 2000 5:22 PM
> > To: Carl E. Mankinen
> > Cc: [EMAIL PROTECTED]
> > Subject: Re: [FW1] unknown established tcp packets...
> >
> >
> > Carl,
> > Have a look at
> > http://www.phoneboy.com/fw1/faq/0408.html on this problem
> > Cristian
> >
> > "Carl E. Mankinen" wrote:
> > >
> > > I have been noticing since I upgraded to 4.1 SP2 that my logs
> > are getting
> > a lot more of these rule 0 drops than I had ever seen
> > > before.
> > > >From what I understand, this happens because the firewall is
> > receiving a
> > TCP packet with the established bit set and it has no
> > > session information in it's state tables to verify that this is a valid
> > conversation.
> > >
> > > Is this something that just happens a lot with TCP conversations and
> > nothing to be concerned about, or is this a symptom of some
> > > problem which I should pay closer attention too? The packets which are
> > causing the rule 0 drop are invariably arriving at the
> > > outside interface.
> > >
> > > I know I can prevent this from being logged, but I would rather
> > make sure
> > that I am not covering up a problem before I do this. My
> > > interfaces on all my routers look really clean, and the settings on the
> > firewall properties for TCP session timeouts is set for 30
> > > minuten.
> > >
> > > Could this be a problem with my fw dropping it's state table entries?
> > >
> > >
> > ==================================================================
> > ==========
> > ====
> > > To unsubscribe from this mailing list, please see the
> > instructions at
> > > http://www.checkpoint.com/services/mailing.html
> > >
> > ==================================================================
> > ==========
> > ====
> >
> >
> >
> > ==================================================================
> > ==============
> > To unsubscribe from this mailing list, please see the instructions at
> > http://www.checkpoint.com/services/mailing.html
> > ==================================================================
> > ==============
> >
>
> ============================================================================
> ====
> To unsubscribe from this mailing list, please see the instructions at
> http://www.checkpoint.com/services/mailing.html
> ============================================================================
> ====
>
> ================================================================================
> To unsubscribe from this mailing list, please see the instructions at
> http://www.checkpoint.com/services/mailing.html
> ================================================================================
================================================================================
To unsubscribe from this mailing list, please see the instructions at
http://www.checkpoint.com/services/mailing.html
================================================================================
