"TCP segment with urgent pointer. Urgent data indication was stripped. Please refer to sk36869." log in SmartView Tracker / SmartLog

Support Center > Search Results > SecureKnowledge Details

Technical Level

Solution ID	sk36869
Technical Level
Product	Quantum Security Gateways
Version	R77.30 (EOL), R80.10 (EOL), R80.20 (EOL), R80.30 (EOL), R80.40, R81, R81.10
Platform / Model	All
Date Created	05-Jan-2009
Last Modified	25-Dec-2022

Symptoms

"TCP segment with urgent pointer. Urgent data indication was stripped. Please refer to sk36869." log in SmartView Tracker / SmartLog.
"TCP segment with urgent pointer (no data). Urgent data indication was stripped. Please refer to sk36869." log in SmartView Tracker / SmartLog.

Cause

The default behavior for dealing with urgent data on all TCP ports (except for ports 21 (FTP), port23 (TELNET) and 513 (RLOGIN)) is to strip the "URG" flag from the TCP packet.

However, a user may want to create an exception to drop the TCP packet with an "URG" flag, or an exception to not strip the "URG" flag from the TCP packet.

Solution

Background

Removing the "URG" flag from TCP packets that do not contain data should not affect a connection. Therefore, if the log indicates that the "urgent" flag was stripped from a TCP packet that does not contain data, then no action should be taken.

If the TCP packet contains data, it still does not necessarily indicate a problem. No action should be taken unless you are experiencing a connectivity problem for the logged connection.

Procedure

To add the connection's service to the list of services, for which "urgent" data is allowed, define a table named "tcp_urgent_ports_user" in the relevant user.def file on the Security Management Server (refer to the sk98239 - Location of 'user.def' files on Security Management Server) and add the service's port to that table:

tcp_urgent_ports_user={<TCP_PORT;ACTION>};

You can define these actions for a TCP packet sent to the specified TCP port:

Action	Description
`URGENT_DATA_STRIP`	Strips the "urgent" flag from the TCP packet
`URGENT_DATA_INLINE`	Does not strip the "urgent" flag from the TCP packet
`URGENT_DATA_RESET`	Rejects TCP packets with the "urgent" flag

For example, to configure that TCP packet on port 514 (RemoteShell) should not have the "urgent" flag stripped, configure:

tcp_urgent_ports_user={<514;URGENT_DATA_INLINE>};

Notes:

Do not add a service as "_URGENT_DATA_INLINE", unless you verified that this service indeed supports the TCP "urgent" data functionality.
If you configure the Security Gateway to accept urgent data on TCP services that do not support the "urgent" functionality, then the connections that match will bypass all IPS protections.
You must enable the IPS blade on this Security Gateway before changing the behavior for dealing with "urgent" data using the user.def file.
To configure multiple ports, use this syntax:

tcp_urgent_ports_user={<TCP_PORT_1;ACTION_1>, <TCP_PORT_2;ACTION_2>, <TCP_PORT_3;ACTION_3>};

Example for ports 80, 8080, and 514:
tcp_urgent_ports_user={<80;URGENT_DATA_INLINE>, <8080;URGENT_DATA_STRIP>, <514;URGENT_DATA_RESET>};

Procedure for Locally Managed Quantum Spark appliances with Gaia Embedded OS

Connect to the Gaia Portal on the appliance.
Go to the "Device" tab.
Click "Advanced Settings".
Search for "Streaming Engine Settings".
Change the value of "TCP Urgent Data Enforcement" from "prevent" to "detect".

Background

Procedure

Procedure for Locally Managed Quantum Spark appliances with Gaia Embedded OS

Related Solutions