Search

	display results
words begin exact words any words part

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

RE [FW1] Unknown established tcp packet

To: <[email protected]>
Subject: RE [FW1] Unknown established tcp packet
From: Ronny Zellhann <[email protected]>
Date: Thu, 12 Apr 2001 11:39:27 +0200 (W. Europe Daylight Time)
Cc: <[email protected]>
Sender: [email protected]

Hi

Nokia reports that as e problem with their last IPSO version end the new
feature called fastpath wich is enabled by default.

The way to fix that for now is to disable fastpath in IPSO

Nokia has a resolution on their support site

https://support.nokia.com/knowledge/frmResolutionView.jsp?ResolutionId=5034


It says...

TCP sessions being dropped on IPSO 3.3 and FireWall-1 4.1 SP2/SP3

This issue only appears to crop up when the following is true:

1. IPSO 3.3
2. FireWall-1 4.1 SP2 or SP3
3. Flows is enabled (it is by default)
4. The connection in question has continuous traffic.

Part of this problem comes from how FireWall-1 interacts with the Flows
feature. Flows moves the packets through the OS without involving
FireWall-1, so FireWall-1 doesn't "reset" the timer value for the entry in
the connections table. When the connection is about to expire, FireWall-1
queries IPSO to see how long it has been since it has seen a packet on the
connection. If there is traffic on the connection at the exact second that
FireWall-1 decides to try and "refresh" the connection table entry, the
entry and the corresponding flows get deleted.

Nokia Customer Support has been able to reproduce this problem and has
escalated it to Check Point. Updates to this issue will be placed here. In
the meantime, you can work around this problem by disabling flows per
Resolution 4188.


Which says:

How do I disable firewall flows in IPSO 3.3 and later?

Firewall Flows is designed to increase performance of FireWall-1 on the
Nokia Platform. However, there may be reasons why you would want to
disable it.


To temporarily disable it, one can issue the command:

ipsofwd slowpath

This also clears the flows tables. To re-enable it, use the command:

ipsofwd flowpath

However, it may also be desirable to disable it permanently. This must be
done by modifying $FWDIR/etc/rc/rc.fwload. Replace the "bolded" flowpath
in the following section with slowpath:

ipsctl -n net:ip:forward:available_modes | grep -q -s flowpath
if ($status == 0) then
ipsctl -w net:ip:forward:switch_mode flowpath
else
echo "FireWall-1: You are attempting to start the FW on an incompatible OS
- exiting" >>& $LOGDIR/fw.log
exit 1
endif


You also need to modify $FWDIR/bin/fwstart. Replace the "bolded" flowpath
in the following section with slowpath:

                if ($ipso) then
# enable flows, if available. Don't need check because it is already
checked!
ipsofwd flowpath                    (cd $FW_BOOT_DIR/modules ; modload -v
-A $KERNEL_IS -e fw1_init -p fw.mkdev -o fwmod fwmod.o)
if ($status) then
echo "FW-1: modload failed"                                exit 1
endif                    fw putlic -k


FireWall-1 must be re-started for this change to take effect. Once you
have done that, you can not use the ipsofwd command to re-enable flows.




Hope this solves your problem



Ronny Zellhann
Skanova AB



================================================================================
     To unsubscribe from this mailing list, please see the instructions at
               http://www.checkpoint.com/services/mailing.html
================================================================================

Prev by Date: [FW1] AntiVirus
Next by Date: [FW1]
Previous by thread: RE: [FW1] AntiVirus
Next by thread: [FW1]
Index(es):
- Date
- Thread