TCP State Logging - sk101221 - Need help to understand differences

**Nachtfalke** · 2016-07-03

Hi,

I have some questions regarding this sk101221. I am not sure if I understand the differences correctly. Further I cannot submit any feedback on the CheckPoint page - it is still telling me "Submitting" but it does not.
So I just past here the questions and comments I wanted to send to checkpoint without any other formatting:

##############################
Hello,

I have difficulties to understand the different kernel parameter values and the differences.

So please tell me if my understanding is correct:

1.) When "fw ctl set int fwconn_tcp_state_logging 0" (default), I can only see one log "Accept" in Smartview Tracker for the connection. Independet if the 2way handshake or something else was successfully/happend.

2.) When "fw ctl set int fwconn_tcp_state_logging 1" I see one log entry im SmartView Tracker for "Accept" for the first TCP SYN. Do I see additional Logs in SmartView Tracker for other states? If I understand correctly I would only expect "DST FIN" and "SRC FIN" AND only for connections which where NOT in established state? So never finisches 3 way handshake, right?
How many additional logs will I expect in Tracker? default ist the "TCP SYN" log which I can always see and then another log which contains "SRC FIN" or "DST FIN", right?

3.) When "fw ctl set int fwconn_tcp_state_logging 2" I can expect additional logs for "DST FIN", "SRC FIN", "SYN_SENT" and "SYNACK" ? So I would only expect one additional log, righT?

4.) When "fw ctl set int fwconn_tcp_state_logging 3" I can expect all TCP states mentioned in the SK. AND I see the default Accespt Log for TCP SYN and I must see the following additional logs depending of the case:

4a) Connection established and successfully finished (ESTABLISHED, BOTH FIN)

4b) Connections established but finished only from one site (ESTABLISHED, DST FIN, SRC FIN)

4c) Connection not established successfully (SYN SENT, SYNACK)
So I am not sure how you came to the conclusion that with "fw ctl set int fwconn_tcp_state_logging 3" I must expect 4-5 times of the logs?

- So please help me to understand which TCP states I can expect in which kernel parameter value?

- Please explain me how many additional logs I can expect per kernel parameter value (worst case and best case)

- Please tell me if there is a way in SmartView Tracker to follow a connection state. For example If I see the initial TCP SYN "Accept" log in SmartView tracker, ist there a way like in Wireshark with "Follow TCP Stream" to see all additional logs to this connection?

- Is there a way in SmartView Tracker or Smartlog to search all "Accept" packets which have the additional state information set? I would try to search for all connections which have "SRC FI" or "DST FIN" or "SYN SENT" or "SYNACK" set, because this could be a connection I need to have a deeper look into.

- What kind of performance impact do I have to expect? Will it cost performance depending on firewalling/deep inspection power or will it cost more performance related to the additional number of logs which are sent? So if it is the number of logs only then it will cost performance on the Gateway itself and on the destination Log server, right?

-Which process/daemon is responsible for that on the gateway so that I can compare the default setting with the other settings in my environment and find out if it is "OK" or "NOT OK" to enable these features in my environment.

PS:
I am using R77.10 - please explain and document if there are differences between R77.x and perhaps R80 - if there are any differences you know about yet.

This SK is very usefull and helpfull but needs some more explaination what the differences are.
#########################

Can someone enlighten me ? :-)

Regards

**Jejerod** · 2016-07-03

From reading the sk: