An APM running Checkpoint VSX NGX R65 may silently drop TCP packets

book

Article ID: 168044

calendar_today

Updated On:

Products

XOS

Issue/Introduction

An APM running Checkpoint VSX NGX R65 may silently drop TCP packetsAn APM running VSX NGX R65 with an L2 VS may silently drop TCP packets while normal IP connectivity is working (eg ping).

Cause

Technical considerations:
-----------------------

Running a VSX NGX R65 L2 VS provides normal L3 security in a L2 network operating mode. The use of this functionality introduces some limitations in the security features of the VSX application.

Due to VSX limitations, it is impossible to disable the SmartDefense for R65 SmartCenter, or the IPS blade for R70+ SmartCenter. The VSX cluster and each VS falls back in a Default_Profile.

By default, 'SYN_Attack' detection is set in protection mode, however this feature is not supported by Checkpoint for L2 VS because of limitation in the Checkpoint Active Streaming module. The Active Streaming module handles the Syn Attack connections, and normally acts as a transparent proxy between the client and server. It receives the inbound connection, inspects the connection, modifies the packet, and then must be able to generate the traffic on the outbound connection. In bridge mode, this is impossible since the firewall cannot generate the traffic on the outbound connection. It can only inspect the traffic.

Since the Active Streaming module cannot handle the connection correctly, it may drop the connection in the kernel. Since this is not an actual attack, but a limitation in the kernel, the packets dropped under Syn Defender never reached the point of triggering the log daemon to send a log to the log file.

Troubleshooting steps:

Confirm the behaviour:
  1. Initiate a TCP connection from your client.
  2. Perform a show flow active source-address x.x.x.x destination-address y.y.y.y.
If the flow is present in the AFT and is load-balanced to a given APM, this means the traffic is being received by the chassis and assigned to a specific FW module.
 
From the firewall module, run the following commands:
  1. tcpdump -ni br<w> host x.x.x.x and host y.y.y.y where 'w' represents the VSid, x and y the ip addresses of the hosts.
  2. To confirm the root of the issue, perform a tcpdump on each ingress and egress interface.

Use the following criteria to identify the drop location:
 
  • If the traffic is not hitting the bridge, you can assume it has been dropped earlier in the chain. If it is hitting the bridge, it may be dropped later in the chain.
  • If the traffic is received on the ingress interface and not on the bridge, it is being dropped by the FW module.
  • if the traffic is seen on the bridge and not seen at the egress interface is is being dropped by the FW module. 
To confirm the drop reason, execute the following command:

fw ctl zdebug drop | grep x.x.x.x (where x represents the source address of your client)

If the FW module is dropping the traffic and the drop reason is SYN Defender Drop/Reject, use the following solution.

Resolution

Solution :
---------
  1. Duplicate the IPS Default_Protection profile to keep a reference for non VSX installations.
  2. Keep the Default_Protection profile for VSX only installations.
  3. Disable any unwanted IPS/SmartDefense features from the Default_Protection profile, especially the Network/TCP/SYN Attack.

Workaround

N/A