By default, all traffic that goes through the ASA is inspected using the Adaptive Security Algorithm and is either allowed through or dropped based on the security policy. The ASA maximizes the firewall performance by checking the state of each packet (is this a new connection or an established connection?) and assigning it to either the session management path (a new connection SYN packet), the fast path (an established connection), or the control plane path (advanced inspection).
TCP packets that match existing connections in the fast path can pass through the ASA without rechecking every aspect of the security policy. This feature maximizes performance. However, the method of establishing the session in the fast path using the SYN packet, and the checks that occur in the fast path (such as TCP sequence number), can stand in the way of asymmetrical routing solutions: both the outbound and inbound flow of a connection must pass through the same ASA.
For example, a new connection goes to ASA 1. The SYN packet goes through the session management path, and an entry for the connection is added to the fast path table. If subsequent packets of this connection go through ASA 1, then the packets will match the entry in the fast path, and are passed through. But if subsequent packets go to ASA 2, where there was not a SYN packet that went through the session management path, then there is no entry in the fast path for the connection, and the packets are dropped. Figure shows an asymmetric routing example where the outbound traffic goes through a different ASA than the inbound traffic:-
Today i am going to show you how to Skip TCP state tracking and sequence checking when traffic flows across the ASA and GAIA ?
On Cisco ASA :-
Cisco ASA comes with a feature of TCP State bypass in the case of allowing allowing Asymmetric traffic.
To allow TCP state bypass feature, Open ASDM and navigate to Configuration > Firewall > Service Policy Rules > Click on the Edit option in Inspection_default policy .
then click on the + icon to add new policy and select the Global – Apply to all interface option and click on the next.
Now enter the name of your traffic class and select the “All traffic ” option and click on the next option.
then click on the Connection Settings option and enable the ” TCP State bypass ” option and click on the Finish option and click on the Apply option to apply it on your device.
If you are using command line interfaces, use below command.
class-map global-class
match any
class-map alltraffic
description alltraffic-Rumytest
match any
policy-map global_policy
class global-class
set connection advanced-options tcp-state-bypass
class alltraffic
set connection advanced-options tcp-state-bypass
On Checkpoint GAIA :-
open Global properties of GAIA firewall,
now navigate to Stateful Inspection and in the ” Out of state packets ” click on the Exceptions option.
and Add your Gateway from here. 🙂
Hope you like my post.Skip TCP state tracking and sequence checking when traffic flows across the ASA and GAIA. Please share with others.
Also Check :-
Block a list of URL address in your network with Checkpoint GAIA
Block Torrent traffic on Your Network with Checkpoint GAIA Firewall
How to install checkpoint gaia on vmware
Secure your network for Most common Attacks with Checkpoint Firewall
How to Fix the TCP packet out of State in Checkpoint Firewall
How to enable Rate limiting for Streaming media in Checkpoint GAIA