The firewall, most probably Checkpoint, is reporting a lot of 'out of state' packets
Firewalls are very strict when it comes to doing a proper 3-way handshake, and about closing sockets quickly after they are not needed anymore. This is because firewalls focus on security. The ProxySG appliance is focusing on performance so to save time, it will leave sockets open for a long time and re-use them when required.
The typical situation that will cause a firewall to reject packets from the ProxySG is the following
Proxy opens a socket to the internet and requests web objects through it. At this point, the firewall reports no problem
Proxy is done retrieving objects but keeps the TCP socket opened in case something else needs to be fetched from the same server
After some time, if the firewall sees no activity on that port, it will assume that the socket isn't used anymore and mark it as closed.
Proxy needs to request a new object from the same server and attempts to use the socket already opened
Firewall drops the connection and reports that the first packet in the sequence wasn't a SYN packet.
Both devices are working as intended here and this is not specifically a Proxy issue or a firewall issue, it's simply a setting that needs to be adjusted so that both the firewall and the ProxySG are setup for the same timeout value. The problem will also stop happening if the ProxySG's timeout value is lower than the firewall's.
In most cases, only server side persistency needs to be adjusted because the firewall generally sits between the proxy and the internet, not between the clients and the proxy. To adjust how long the ProxySG keeps sockets opened with servers, run the following command where <value> is the timeout (in seconds)
http persistent-timeout server <value>
Lowering the value will cause a slight performance decrease so it's best to adjust the firewall's timeout first. If that is not possible, then lowering the ProxySG's timeout is the only solution.
Imported Document ID: 000009462
Subscribing will provide email updates when this Article is updated. Login is required.
Thanks for your feedback. Let us know if you have additional comments below. (requires login)
Subscribed to the Article.
Unable to subscribe
Thanks for your additional feedback !!!
Enterprise Support Virtual Agent
Rate Me :
Tell us more:
Welcome! My name is Sami, the Enterprise Support Virtual Agent answering technical support questions.