saudi sans wrote:
> We are having Nokia Checkpoint in load balancing mode.
> In the Checkpoint logs we get DROP packets messages "TCP packet out of
> state: First packet isn't SYN;".It looks like out-of-state packets are
> getting dropped. I am NOT worried about this.
> What is worrying is source IP of the packets is of the Firewall
> interface itself. The destination address/port is of the server
> protected by the Firewall.
> I am trying to investigate how can we get packets with source IP as
> Firewall interface.
> My doubts:
> 1. When Checkpoint encounters an out-of-state packet and DROP it, does
> it log the message with source-IP as of the Firewall.
> 2. Assuming the Firewall is configured properly, what are the other
> instances when we get DROP traffic logs with source-address as of the
> Firewall interface
> Am I totally on the wrong direction in this investigation?


Have you checked that the cluster is in sync?
You could also try to run "fw ctl zdebug drop" on the GW module to see
if this gives you further info on the drop..

To get a better picture you might want to run a tcpdump on the GW with
"fw monitor -o $HOSTNAME.pcap" and have a look at it with wireshark this
can give you a clue where the packet came from.

firewall-wizards mailing list