One of the regular issues I help my customers resolving is about out of state drops. there might be multiple causes, and those should be addressed by proper troubleshooting and network configuration changes.
However, there are cases when you just need a quick fix before addressing the root case of the problem.
The classic way to do that is to change Global Properties settings on your management and to install policy. The biggest problem with that approach is that the settings are global and will affect all FWs in the security domain after a policy push.
But no worries, there is a way around it, described in
SK117374. Fw kernel has two parameter that define out of state drops for TCP and ICMP:
fw_allow_out_of_state_tcp
fw_allow_out_of_state_icmp
For example, by running
fw ctl set int fw_allow_out_of_state_tcp 1 you can allow TCP traffic to pass through. Setting the same parameter to 0 will start dropping out of state TCP again.
-----------
