Support Center > Search Results > SecureKnowledge Details
"TCP segment with urgent pointer. Urgent data indication was stripped. Please refer to sk36869." log in SmartView Tracker / SmartLog Technical Level
Symptoms
  • "TCP segment with urgent pointer. Urgent data indication was stripped. Please refer to sk36869." log in SmartView Tracker / SmartLog.

  • "TCP segment with urgent pointer (no data). Urgent data indication was stripped. Please refer to sk36869." log in SmartView Tracker / SmartLog.

Cause

The default behavior for dealing with urgent data on all TCP ports (except for ports 21 (FTP), port23 (TELNET) and 513 (RLOGIN)) is to strip the "URG" flag from the TCP packet.

However, a user may want to create an exception to drop the TCP packet with an "URG" flag, or an exception to not strip the "URG" flag from the TCP packet.


Solution

Background

Removing the "URG" flag from TCP packets that do not contain data should not affect a connection. Therefore, if the log indicates that the "urgent" flag was stripped from a TCP packet that does not contain data, then no action should be taken.

If the TCP packet contains data, it still does not necessarily indicate a problem. No action should be taken unless you are experiencing a connectivity problem for the logged connection.

 

Procedure

To add the connection's service to the list of services, for which "urgent" data is allowed, define a table named "tcp_urgent_ports_user" in the relevant user.def file on the Security Management Server (refer to the sk98239 - Location of 'user.def' files on Security Management Server) and add the service's port to that table:

tcp_urgent_ports_user={<TCP_PORT;ACTION>};

You can define these actions for a TCP packet sent to the specified TCP port:

Action Description
URGENT_DATA_STRIP The "urgent" flag will be stripped from the TCP packet
URGENT_DATA_INLINE The "urgent" flag will not be stripped from the TCP packet
URGENT_DATA_RESET TCP packets with "urgent" flag will be rejected

For example, to configure that TCP packet on port 514 (RemoteShell) should not have "urgent" flag stripped, define the following:

tcp_urgent_ports_user={<514;URGENT_DATA_INLINE>};

Notes:

  • Do not add a service as "_URGENT_DATA_INLINE", unless you verified that this service indeed supports TCP "urgent" data functionality.
    Configuring the Security Gateway to accept urgent data on TCP services that do not support "urgent" functionality, enables matching connections to bypass all IPS protections.

     
  • To configure multiple ports, use this syntax:
    tcp_urgent_ports_user={<TCP_PORT;ACTION>};, {<TCP_PORT;ACTION>};, {<TCP_PORT;ACTION>};

Procedure for locally managed 600 / 700 / 1100 / 1200R / 1400 appliances

  1. Connect to the Gaia Portal on the appliance.

  2. Go to the "Device" tab - click on the "Advanced Settings".

  3. The administrator can filter for "Streaming Engine Settings" and from that window can set "TCP Urgent Data Enforcement" to "detect" instead of "prevent" if desired.

 

Related Solutions

Give us Feedback
Please rate this document
[1=Worst,5=Best]
Comment