3.10 Ensure Drop Out of State TCP Packets is enabled

Information

The Drop out of state TCP Packets setting will drop the out of state or non-synchronized TCP Packets for which firewall does not have a matching state table entry.

Rationale:

Bypassing security setting Drop out of state TCP Packets means that non-synchronized packets which do not belong to an established connection in the Firewall's connections table or non-TCP compliant traffic will not be dropped. This can be potentially used by attackers for Denial-of-service attacks by flooding non-synchronized TCP packets.

NOTE: Nessus has not performed this check. Please review the benchmark to ensure target compliance.

Solution

Go to the following path and checked the Drop Out of State TCP Packets and Log on Drop.

SmartConsole > Global Properties > Stateful Inspection
Checked the Drop Out of State TCP Packets and Log on Drop

Default Value:

Enabled

See Also

https://workbench.cisecurity.org/files/2828

Item Details

Category: SECURITY ASSESSMENT AND AUTHORIZATION

References: 800-53|CA-3, CSCv7|12.1

Plugin: CheckPoint

Control ID: 13db9c98fd67f72da03ca7e65ec7f884bb8b12400bfba7185facd1a4b17e17ef