TCP, UDP, and SCTP Services - General
What can I do here?
Use this window to define general properties for TCP, UDP, and SCTP services.
|
Getting Here - Object Explorer > New > Service > TCP/UDP/SCTP > General
|
Understanding TCP, UDP, and SCTP Resources
Use a TCP Resource to perform CVP or UFP content security on any TCP Service, using a third party OPSEC compliant application.
The TCP resource turns on genericid, a generic daemon (security server) that receives data packets and sends them to a CVP or UFP server, as defined by the TCP Resource.
The TCP Resource is triggered when a Rule includes the TCP Resource, and a connection is encountered that matches the Source and Destination of the Rule, and also matches the TCP service that is associated with the TCP resource. If there is a match, then the action specified in the rule is applied.
To create a Rule with a TCP Resource, the TCP Resource must be associated with a particular TCP service. Only TCP services where Enable for TCP resource is checked can be associated with a TCP resource.
Match for 'Any' and Source Port
When installing a policy that contains services that have source ports (specified in the Advanced window) that require the Match for 'Any' option to be selected, a warning appears. The policy will be installed with a warning (for each such service), since Match for 'Any' is not supported for services that contain source port specification.
TCP, UDP, and SCTP General Options
- . Select the protocol type associated with the service, and by implication, the management server (if any) that enforces Content Security and Authentication for the service. Selecting a Protocol Type invokes the specific protocol handlers for each protocol type, thus enabling higher level of security by parsing the protocol, and higher level of connectivity by tracking dynamic actions (such as opening of ports).
- . Check Point has created a unique signature for each protocol and stored it on the gateway. The signature identifies the protocol as genuine. Select this option to limit the port to the specified protocol.
- is the number of the port used to provide this service. To specify a port range, place a hyphen between the lowest and highest port numbers, for example 44-55.
Understanding SCTP
Stream Control Transmission Protocol (SCTP) is a message-based, multi-streaming transport layer protocol commonly used in telephony applications.
Configuring SCTP Inspection
When a Carrier license is installed, you can specify SCTP services in your Firewall rules. SCTP Inspection occurs in these cases:
- There is a match on a rule containing an SCTP or Diameter SCTP service in the cell.
- There is a match on a rule with = and this SCTP service has selected.
To activate SCTP Inspection:
- Open > > Object Explorer > > >.
The s window opens.
On the page:
- - The name of the service. The name assigned here must be the same as the server service name (as in the services file). If NIS is used, the firewall automatically retrieves the information from NIS.
- - The number of the port that matches this service.
- Click .
- - Port number for the client side service. If specified, only those Source port Numbers will be Accepted, Dropped, or Rejected during packet inspection. Otherwise, the source port is not inspected.
- - If the connections are not allowed in the new policy, they are still kept. This overrides the settings in the Connection Persistence page. If you change this property, the change does not have effect on open connections, but only future connections.
- - set the virtual session timeout or keep the default value (in seconds)
- - Sets short (aggressive) timeouts for idle connections. When a connection is idle for more than its aggressive timeout value, it is marked as eligible for deletion. When memory consumption or connections table capacity exceeds a user-defined threshold (high watermark), aggressive aging starts. Each incoming connection starts to delete k (10 by default) connections that are eligible for deletion. This continues until memory consumption or connections capacity decreases below the low value.
- - Enables state-synchronized High Availability or Load Sharing on a ClusterXL or OPSEC-certified cluster. Of the services allowed by the Rule Base, only those with selected are synchronized as they go through the cluster. By default, all new and existing services are synchronized.
- Click .
- Open > .
Configure these options:
Option
|
Meaning
|
SCTP start timeout
|
- An SCTP connection times out if the interval between the arrival of the first packet and establishment of the connection (STCP four-way handshake) exceeds the SCTP start timeout in seconds.
- Attribute name in GuiDBedit:
sctpstarttimeout
|
SCTP session timeout
|
- Length of time an idle connection remains in the Security Gateway connections table.
- Attribute name in GuiDBedit:
sctptimeout
|
SCTP end timeout
|
- A SCTP connection will only terminate SCTP end timeout seconds after two FIN packets (one in each direction: client-to-server, and server-to-client) or an RST packet.
- Attribute name in GuiDBedit:
sctpendtimeout
|
Configure these options for :
|
|
|
Option
|
Meaning
|
Drop out of state SCTP packets
|
- Drop SCTP packets that are not consistent with the current state of the SCTP connection.
- Attribute name in GuiDBedit:
fw_drop_out_of_state_sctp
|
Log on drop
|
- Generates a log entry when out of state SCTP packets are dropped.
- Attribute name in GuiDBedit:
fw_log_out_of_state_sctp
|
To deactivate out of state packet drop in SmartConsole:
- Open > .
- Clear the option.
- Save and install the policy.
To deactivate packet inspection using GuiDBedit:
- Open GuiDBedit.
- Search for:
fw_sctp_packet_inspection
. - Set the property to .
- Save the database and install policy.
Configuring SCTP Acceleration
To enable SCTP acceleration:
sim feature sctp on
To disable SCTP acceleration, run: sim feature sctp off
Note: If SCTP acceleration is activated and SCTP inspection is deactivated, the Performance Pack accelerates all SCTP packet types.
Configuring SCTP NAT
SCTP NAT overrides the defined NAT policy. When this feature is not activated, SCTP connections do not use NAT.
To activate SCTP NAT:
On the Security Gateway, run: fw ctl set int fwx_enable_sctp_nat 1
To deactivate SCTP NAT: fw ctl set int fwx_enable_sctp_nat 0