Friday, February 22, 2019

Anyone with CIPSO or Netlabel experience? Firewall dropping packets.

So, I have a customer network coming into a data center. They are using CIPSO protocol to add a tag to their header for a security label. This is communicating with a server beyond my edge firewall. We were working fine, until we upgraded the firewall to a new model with also an updated OS (Fortigate 620B to Fortigate 500E).

The packet sniff responds with a parameter problem indicating from what we can tell, that it thinks the packet is malformed. This would make sense if it sees the header with a security label added and doesn't recognize what it's for.

Working with Fortinet and others we haven't found any way to get it to either bypass this or ignore it. There are a few options to lower the header inspection security but none to disable it. Any checks we can seem to find and disable don't seem to help. It's possible it's just a version problem, but I would need to get approvals and take a lot of things down again to go and start trying new versions.

Has anyone ever had experience with this or maybe something similar that adds to the ip header?



No comments:

Post a Comment