Alex, do you have any application like websense or surfcontrol configured in "sniffer" mode? They routinely send "rst" packets to both the internal client and external server to close the connection between the client and server per design. Stateful firewalls will drop these packets and you should not disable stateful inspection just to have "clean" logs. You could unselect "Log On Drop" next to it, if you want less informative logs.
Ignore these messages, as "RST" packets shouldn't be required. If the routing is not asymmetric, the there has to be a reason there is no connection in the state table. Such as a proper FIN that closed the connection. The RST was unnecessary as the connection was already closed. No well written application sends RST as its first packet. David Barker Senior Security Engineer Internet Security Division, Compuquip Technologies -----Original Message----- From: Mailing list for discussion of Firewall-1 [mailto:[EMAIL PROTECTED] On Behalf Of Alex Hayes Sent: Sunday, January 06, 2008 2:05 AM To: [email protected] Subject: Re: [FW-1] Check Point Drop out of state TCP packet yes, my idea is to let pass the traffic necessary to continue working the application. Take off the contentions. ----- Original Message ---- From: sin <[EMAIL PROTECTED]> To: [email protected] Sent: Friday, January 4, 2008 7:59:02 PM Subject: Re: [FW-1] Check Point Drop out of state TCP packet Alex Hayes wrote: > I have severals messages of: > > TCP packet out of state: First packet isn't SYN; tcp_flags: RST > TCP packet out of state: First packet isn't SYN; tcp_flags: RST > TCP packet out of state: First packet isn't SYN; tcp_flags: RST > TCP packet out of state: First packet isn't SYN; tcp_flags: RST > TCP packet out of state: First packet isn't SYN; tcp_flags: ACK > TCP packet out of state: First packet isn't SYN; tcp_flags: RST > TCP packet out of state: First packet isn't SYN; tcp_flags: RST > TCP packet out of state: First packet isn't SYN; tcp_flags: RST > > Do you know why? maybe because a new tcp connection needs to have it's first packet with the SYN bit set and from what your logs say, the packets dropped don't have the SYN bit set. > > I read that I need to go to Policy ---Global Properties---- > Stateful Inspection and deselect the flag "Drop out of state TCP packet" yup, it will keep your logs clean. ================================================= To set vacation, Out-Of-Office, or away messages, send an email to [EMAIL PROTECTED] in the BODY of the email add: set fw-1-mailinglist nomail ================================================= To unsubscribe from this mailing list, please see the instructions at http://www.checkpoint.com/services/mailing.html ================================================= If you have any questions on how to change your subscription options, email [EMAIL PROTECTED] ================================================= ________________________________________________________________________ ____________ Never miss a thing. Make Yahoo your home page. http://www.yahoo.com/r/hs ================================================= To set vacation, Out-Of-Office, or away messages, send an email to [EMAIL PROTECTED] in the BODY of the email add: set fw-1-mailinglist nomail ================================================= To unsubscribe from this mailing list, please see the instructions at http://www.checkpoint.com/services/mailing.html ================================================= If you have any questions on how to change your subscription options, email [EMAIL PROTECTED] ================================================= ================================================= To set vacation, Out-Of-Office, or away messages, send an email to [EMAIL PROTECTED] in the BODY of the email add: set fw-1-mailinglist nomail ================================================= To unsubscribe from this mailing list, please see the instructions at http://www.checkpoint.com/services/mailing.html ================================================= If you have any questions on how to change your subscription options, email [EMAIL PROTECTED] =================================================
