Support Center > Search Results > SecureKnowledge Details
"TCP segment with urgent pointer. Urgent data indication was stripped. Please refer to sk36869." log in SmartView Tracker / SmartLog Technical Level
Symptoms
  • "TCP segment with urgent pointer. Urgent data indication was stripped. Please refer to sk36869." log in SmartView Tracker / SmartLog.

  • "TCP segment with urgent pointer (no data). Urgent data indication was stripped. Please refer to sk36869." log in SmartView Tracker / SmartLog.

Cause

The default behavior for dealing with urgent data on all TCP ports (except for ports 21 (FTP), port23 (TELNET) and 513 (RLOGIN)) is to strip the "URG" flag from the TCP packet.

However, a user may want to create an exception to drop the TCP packet with an "URG" flag, or an exception to not strip the "URG" flag from the TCP packet.


Solution

Background

Removing the "URG" flag from TCP packets that do not contain data should not affect a connection. Therefore, if the log indicates that the "urgent" flag was stripped from a TCP packet that does not contain data, then no action should be taken.

If the TCP packet contains data, it still does not necessarily indicate a problem. No action should be taken unless you are experiencing a connectivity problem for the logged connection.

 

Procedure

To add the connection's service to the list of services, for which "urgent" data is allowed, define a table named "tcp_urgent_ports_user" in the relevant user.def file on the Security Management Server (refer to the sk98239 - Location of 'user.def' files on Security Management Server) and add the service's port to that table:

tcp_urgent_ports_user={<TCP_PORT;ACTION>};

You can define these actions for a TCP packet sent to the specified TCP port:

Action Description
URGENT_DATA_STRIP Strips the "urgent" flag from the TCP packet
URGENT_DATA_INLINE Does not strip the "urgent" flag from the TCP packet
URGENT_DATA_RESET Rejects TCP packets with the "urgent" flag

For example, to configure that TCP packet on port 514 (RemoteShell) should not have the "urgent" flag stripped, configure:

tcp_urgent_ports_user={<514;URGENT_DATA_INLINE>};

Notes:

  • Do not add a service as "_URGENT_DATA_INLINE", unless you verified that this service indeed supports the TCP "urgent" data functionality.
    If you configure the Security Gateway to accept urgent data on TCP services that do not support the "urgent" functionality, then the connections that match will bypass all IPS protections.

  • To configure multiple ports, use this syntax:

    tcp_urgent_ports_user={<TCP_PORT_1;ACTION_1>, <TCP_PORT_2;ACTION_2>, <TCP_PORT_3;ACTION_3>};

    Example for ports 80, 8080, and 514:
    tcp_urgent_ports_user={<80;URGENT_DATA_INLINE>, <8080;URGENT_DATA_STRIP>, <514;URGENT_DATA_RESET>};

 

Procedure for Locally Managed Quantum Spark appliances with Gaia Embedded OS

  1. Connect to the Gaia Portal on the appliance.

  2. Go to the "Device" tab.

  3. Click "Advanced Settings".

  4. Search for "Streaming Engine Settings".

  5. Change the value of "TCP Urgent Data Enforcement" from "prevent" to "detect".

 

Related Solutions

Give us Feedback
Please rate this document
[1=Worst,5=Best]
Comment