An APM running Checkpoint VSX NGX R65 may silently drop TCP packetsAn APM running VSX NGX R65 with an L2 VS may silently drop TCP packets while normal IP connectivity is working (eg ping).
Running a VSX NGX R65 L2 VS provides normal L3 security in a L2 network operating mode. The use of this functionality introduces some limitations in the security features of the VSX application.
Due to VSX limitations, it is impossible to disable the SmartDefense for R65 SmartCenter, or the IPS blade for R70+ SmartCenter. The VSX cluster and each VS falls back in a Default_Profile.
By default, 'SYN_Attack' detection is set in protection mode, however this feature is not supported by Checkpoint for L2 VS because of limitation in the Checkpoint Active Streaming module. The Active Streaming module handles the Syn Attack connections, and normally acts as a transparent proxy between the client and server. It receives the inbound connection, inspects the connection, modifies the packet, and then must be able to generate the traffic on the outbound connection. In bridge mode, this is impossible since the firewall cannot generate the traffic on the outbound connection. It can only inspect the traffic.
Since the Active Streaming module cannot handle the connection correctly, it may drop the connection in the kernel. Since this is not an actual attack, but a limitation in the kernel, the packets dropped under Syn Defender never reached the point of triggering the log daemon to send a log to the log file.
Confirm the behaviour: