I have a WatchGuard Firebox that I've recently configured. All of the policies look fine and all appropriate services seem to be working correctly.
However, one or two (seemingly) random nodes keep getting blocked from making HTTP requests to a 1:1 NATed host that everyone else makes just fine.
The firewall log tells me that tcp syn checking failed, and these requests use destination port 64 for clients behind the appliance, and port 50 for clients on the outside. I've finally found this option and disabled it under the Global Settings (which leaves a bad taste in my mouth), and that seems to have done the trick.
The documentation is uber thin on the topic, though. Can anyone explain to me exactly what tcp syn checking does/is, and how I might make an appropriate allowance for it in my policies rather than globally disabling it (assuming, of course, there is a more graceful solution than a global rule)?
Best Answer
From Watchguard:
TCP SYN checking
The global TCP SYN checking setting is: Enable TCP SYN checking This feature makes sure that the TCP three-way handshake is done before the Firebox allows a data connection.
So I imagine the watchguard isnt seeing the usual syn/syn ack/ack happen for whatever reason and killing the connection.