OK, I'll try and explain this as best I can,
Some months ago I set up an Anti-spam/Anti-virus gateway on my network. I placed it in a DMZ. When originally set up checkpoint was at version NG FP3. My problem is the following;
As part of the AS/AV gateways spam detection I was trying to allow it communicate with two spamcop servers, vmx1 and vmx2.spamcop.net. The Reporting call goes out on TCP port 587. I also expect a reply over this connection.
I set up two security rules ;
1. my_gateway to any over any for tcp 587 accept log
when this rule failed to produce the goods I later added
2. vmx1 and vmx2.spamcop.net to my_gateway over any for any accept log
The call out to vmx1 or vmx2.spamcop.net:587 goes out, no problems. However, subsequent replies are dropped by the firewal, for example;
vmx2.spamcop.net (tcp 587) to my_gateway (origin outbound source port) dropped ...
... reason 'TCP port out of state: first packet isn't SYN tcp_flags: FIN-ACK
OK, so I thought,
1. the call is going out
2. the reply is being sent
3. the firewall is stopping the reply
So then I thought that the session was timing out in the state table. I then went to the customised TCP service object for port 587 and changed it from the default timeout of 3600 seconds to 7200 seconds.
No change, packets still going out and replies still being stopped.
The firewall has been upgraded to NGX R65 in the meantime and still no change.
I believe there may be a delay in the reply by necessity, hence my efforts to extend the timeout. Is there any way I can exempt this specific type of call from the usual 'State' checks. I'm GUESSING SmartDefence is at the core of this.
Thankfully, the AS/AV gateway performs quite well despite this because it uses other checks, but I'd like to see if it improves with these calls working, and besides, it's one of those nagging problems!
I'd love to know if anyone has come across this specific issue or indeed, something akin to it.
cheers
Start Free Trial
