TCP, UDP, and SCTP Services - General

What can I do here?

Use this window to define general properties for TCP, UDP, and SCTP services.

Getting Here - Object Explorer > New > Service > TCP/UDP/SCTP > General

Understanding TCP, UDP, and SCTP Resources

Use a TCP Resource to perform CVP or UFP content security on any TCP Service, using a third party OPSEC compliant application.

The TCP resource turns on genericid, a generic daemon (security server) that receives data packets and sends them to a CVP or UFP server, as defined by the TCP Resource.

The TCP Resource is triggered when a Rule includes the TCP Resource, and a connection is encountered that matches the Source and Destination of the Rule, and also matches the TCP service that is associated with the TCP resource. If there is a match, then the action specified in the rule is applied.

To create a Rule with a TCP Resource, the TCP Resource must be associated with a particular TCP service. Only TCP services where Enable for TCP resource is checked can be associated with a TCP resource.

Match for 'Any' and Source Port

When installing a policy that contains services that have source ports (specified in the Advanced window) that require the Match for 'Any' option to be selected, a warning appears. The policy will be installed with a warning (for each such service), since Match for 'Any' is not supported for services that contain source port specification.

TCP, UDP, and SCTP General Options

• Protocol. Select the protocol type associated with the service, and by implication, the management server (if any) that enforces Content Security and Authentication for the service. Selecting a Protocol Type invokes the specific protocol handlers for each protocol type, thus enabling higher level of security by parsing the protocol, and higher level of connectivity by tracking dynamic actions (such as opening of ports).
• Protocol Signature. Check Point has created a unique signature for each protocol and stored it on the gateway. The signature identifies the protocol as genuine. Select this option to limit the port to the specified protocol.
• Port is the number of the port used to provide this service. To specify a port range, place a hyphen between the lowest and highest port numbers, for example 44-55.

Understanding SCTP

Stream Control Transmission Protocol (SCTP) is a message-based, multi-streaming transport layer protocol commonly used in telephony applications.

Configuring SCTP Inspection

When a Carrier license is installed, you can specify SCTP services in your Firewall rules. SCTP Inspection occurs in these cases:

• There is a match on a rule containing an SCTP or Diameter SCTP service in the Service cell.
• There is a match on a rule with Service = Any and this SCTP service has Match for any selected.

To activate SCTP Inspection:

1. Open SmartConsole > Menu > Object Explorer > New > Service > SCTP.

   The SCTP Properties window opens.

   On the General page:

   • Name - The name of the service. The name assigned here must be the same as the server service name (as in the services file). If NIS is used, the firewall automatically retrieves the information from NIS.
   • Port - The number of the port that matches this service.
2. Click Advanced.
   • Source Port - Port number for the client side service. If specified, only those Source port Numbers will be Accepted, Dropped, or Rejected during packet inspection. Otherwise, the source port is not inspected.
   • Keep connections open after policy has been installed - If the connections are not allowed in the new policy, they are still kept. This overrides the settings in the Connection Persistence page. If you change this property, the change does not have effect on open connections, but only future connections.
   • Virtual session timeout - set the virtual session timeout or keep the default value (in seconds)
   • Enable Aggressive Aging - Sets short (aggressive) timeouts for idle connections. When a connection is idle for more than its aggressive timeout value, it is marked as eligible for deletion. When memory consumption or connections table capacity exceeds a user-defined threshold (high watermark), aggressive aging starts. Each incoming connection starts to delete k (10 by default) connections that are eligible for deletion. This continues until memory consumption or connections capacity decreases below the low value.
   • Synchronize connection on cluster - Enables state-synchronized High Availability or Load Sharing on a ClusterXL or OPSEC-certified cluster. Of the services allowed by the Rule Base, only those with Synchronize connections on cluster selected are synchronized as they go through the cluster. By default, all new and existing services are synchronized.
3. Click OK.
4. Open Global properties > Stateful Inspection.

   Configure these Stateful Inspection options:

Option	Meaning
SCTP start timeout	An SCTP connection times out if the interval between the arrival of the first packet and establishment of the connection (STCP four-way handshake) exceeds the SCTP start timeout in seconds. Attribute name in GuiDBedit: sctpstarttimeout
SCTP session timeout	Length of time an idle connection remains in the Security Gateway connections table. Attribute name in GuiDBedit: sctptimeout
SCTP end timeout	A SCTP connection will only terminate SCTP end timeout seconds after two FIN packets (one in each direction: client-to-server, and server-to-client) or an RST packet. Attribute name in GuiDBedit: sctpendtimeout

Configure these options for Out of state packets:

Option	Meaning
Drop out of state SCTP packets	Drop SCTP packets that are not consistent with the current state of the SCTP connection. Attribute name in GuiDBedit: fw_drop_out_of_state_sctp
Log on drop	Generates a log entry when out of state SCTP packets are dropped. Attribute name in GuiDBedit: fw_log_out_of_state_sctp

To deactivate out of state packet drop in SmartConsole:

1. Open Menu > Global properties > Stateful Inspection.
2. Clear the Drop out of state SCTP packets option.
3. Save and install the policy.

To deactivate packet inspection using GuiDBedit:

1. Open GuiDBedit.
2. Search for: fw_sctp_packet_inspection.
3. Set the property to false.
4. Save the database and install policy.

Configuring SCTP Acceleration

To enable SCTP acceleration:

sim feature sctp on

To disable SCTP acceleration, run: sim feature sctp off

Note: If SCTP acceleration is activated and SCTP inspection is deactivated, the Performance Pack accelerates all SCTP packet types.

Configuring SCTP NAT

SCTP NAT overrides the defined NAT policy. When this feature is not activated, SCTP connections do not use NAT.

To activate SCTP NAT:

On the Security Gateway, run: fw ctl set int fwx_enable_sctp_nat 1

To deactivate SCTP NAT: fw ctl set int fwx_enable_sctp_nat 0