Bluecoat through Check Point being dropped as out of state
Updated
From the Blue Coat you can upgrade to SGOS 5.4.1.12 and on the global cli run the command
http no persistent client
If using with AD authentication upgrade the BCAAA agent to 5.4.1.12 on your Domain Controls and everything should start working again.
So just to dive into this a little bit on the technical side what’s
happening is when Check Point see’s the fin packet for the http
connection from the Blue Coat it closes the existing connection is has
open. This is just a good security practice so that nothing else tries
to use that connection to gain access to the customers network.
Bluecoat tries to use that existing connection for new http traffic so
it doesn’t increase the CPU and memory utilization on it’s own appliance
and the upstream appliances.
There are a couple of fixes you can apply to resolve the issue.
The first one is to enable aggressive aging for the http protocol. This is enabled by default on R65 and higher, and will be the easiest way to resolve the problem.
The second is Nokia Specific. you can disable flowpath on the Nokia by running the command
ipsofwd slowpath
This will reduce the acceleration done by the Nokia.
The third one is Check Point sk41444
How do I configure FireWall-1 to allow “out-of-state” packets for
specific TCP services?