|
Non-syn rulebase match 4.1 FireWall-1 has significantly changed how it deals with established TCP connections. Whereas FireWall-1 versions prior to 4.1 SP2 used to try and recover TCP connections for which it did not have a connections table entry, it now simply drops these packets on the floor on rule 0 with this error message. Earlier versions would also drop these packets and display this message only after an attempt at recovering the connection failed. On an IPSO platform, you will sometimes see these messages in an HA configuration with firewall flows enabled if you are running IPSO 3.3-3.4.1 with FireWall-1 4.1. Make sure you are running FireWall-1 4.1 SP5 hotfix and IPSO 3.4.1 or disable flows with the command ipsofwd slowpath. You should add this command to the end of $FWDIR/bin/fwstart to make the change permanent. In 4.1, you can revert to the old behavior by adding the following to line to $FWDIR/lib/fwui_head.def #define ALLOW_NON_SYN_RULEBASE_MATCH on your manager and re-installing the security policy. This change will effect all the modules that this manager controls after they have received a policy install. You can disable logging of these packets in FireWall-1 4.1 base or 4.1 SP1 by commenting out the following line in $FWDIR/lib/fwui_head.def (place two forward slashes '//' in front of the line). #define CLUSTER_RULEBASE_MATCH_LOG In FireWall-1 4.1 SP2 and later, you would comment out the following line in $FWDIR/lib/fwui_head.def: #define NON_SYN_RULEBASE_MATCH_LOG Again these changes need to be made to your manager and the security policy installed. These changes will also be applied to all systems this manager controls. |