Scanning and system crashing

[rugby1725]

I'm having some issues with scanning across my clusters. While I realize that we need to dial back the scanning it definitely concerns me should we get a true SYN attack or DoS. I'm really not sure what I'm missing so I'm looking for some help.

Setup: I'm running NG AI R55 in a load sharing cluster with 2 machines. The servers are Sun V240's with dual CPU and 4 Gb RAM. Mgmt is a Sun V210 w/ NGX 65.

Scenario: If we scan with NMAP across the firewall it will cause a kernel panic and the firewall will crash. It doesn't happen every time and not always the same box. I've upped the connection limit table to 100000 and that helps somewhat, I've also increased the log buffer limit in the /etc/system based on a sk article I saw that said if it fills the machine could panic.

Any help would be greatly appreciated.

Kris

[RayPesek]

What HFA level are you on for R55? I've never heard of this happening and the firewall should be able to protect itself. What do you allow for connections o the firewall itself?

Ray

[rugby1725]

We're currently on HFA_18. I should have been a little clearer on the problem description. This happens when we are scanning through the firewalls, ie scanning boxes sitting out on a DMZ. The machines doing the scanning essentially have an any, any rule for them. Obviously this could cause connection table limit issues, hence the reason we upped that to 100000. However, the scan that caused the last crash was only ports 1-1023 on 15 hosts which shouldn't have caused an issue even at the default setting.

Kris

[RayPesek]

I'd open a support case with CP. You're right, this should bot be happening. Did you do anything like turn off SmartDefense's "packet sanity" checks?

Ray

[rugby1725]

Nope I pretty much left that all default

[cciesec2006]

I have several pairs of Checkpoint NG AI R55 running HFA_17
with ClusterXL Active/Active.

I would like to know if you or Checkpoint have a solution
to fix this. Thanks.