Problems with Stateful Inspection of TCP Connections

The problem with using a stateful firewall is that if the applications that go through it have a slightly different concept of what proper TCP state should be, or if the firewall makes invalid assumptions, some services will cease to function. The following subsections explain what some of those errors are and how to fix them.

6.20. TCP Packet Out of State

The “TCP Packet out of state” error message means that FireWall-1 sees a TCP ACK packet for which it does not have a matching state table entry. This may occur because the connection was inactive for a period of time or the connections tables were flushed (e.g., because of a policy installation or restart).

A little history is in order here. ...

Get Essential Check Point™ FireWall-1® NG: An Installation, Configuration, and Troubleshooting Guide now with the O’Reilly learning platform.

O’Reilly members experience books, live events, courses curated by job role, and more from O’Reilly and nearly 200 top publishers.