Check Point Information for VU#446689

Check Point FireWall-1 allows fragmented packets through firewall if Fast Mode is enabled



Vendor Statement

Not all hosts protected by the firewall are vulnerable, only a specific subset:

    • hosts used in the "Destination" column of a rule utilizing Fastmode, or
    • hosts at least one router hop away from the firewall
Also, the hosts must be reachable/routable from the attacker's side of the firewall; ie, in order for a host to be vulnerable, either no address translation or static (1-to-1) address translation must be used for that hosts. In a network using RFC 1918 addresses, where all outbound hosts hide behind a single IP address, none of the protected hosts would be vulnerable.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Vendor References



The CERT/CC has no additional comments at this time.

If you have feedback, comments, or additional information about this vulnerability, please send us email.