topic Re: Explicit proxy traffic accepted via implied rule 0 in Firewall and Security Management

Explicit proxy traffic accepted via implied rule 0

Undel — Fri, 02 Jul 2021 12:26:49 GMT

Hello.

We have R80.40 installation (SMS + GW Cluster), which was migrated from R77.30.

This GW cluster is set up as explicit proxy for some clients.

We have 2 ordered layers: Security and Application.

On both layers we have a rule that allow traffic from client hosts to GW cluster via ports 8080 and 3128 (HTTP &HTTPS proxy and Squid_NTLM).

On Application layer we have rules that allow traffic from client hosts to Intetrnet with specified URLs and applications.

Everything was fine on version R77.30, but after migration we have an issue:

Traffic received by Checkpoint proxy is forwarded to Internet without enforcing URL filtering policy.

I can see in logs 2 different events:

1) Traffic from client host to Checkpoint proxy (port 3128 and 8080) is accepted by correct rules on Security and Application layer (event type Firewall)

2) Traffic from GW to external web resource is accepted on Security layer with Implied rule 0 and no checks on Application layer is performed.

I've tried to disable in Global policy "Accept outgoing packets originating from security gateway" parameter and create separate explicit rule to allow GW cluster to communicate with "Any" destinations.

I've checked according to sk112939 "Enable HTTP inspection on non standard ports for the Application Control & URL Filtering Blades" - we have it turned on, but it's not helping.

I've checked Implicit cleanup settings on Security and Application layers - both are set to "Drop".

I've checked Implicit rules in $FWDIR/state/local/FW1/local.implied_rules - there is no rule with ID 0.

I've rebooted SMS and reinstalled the policy - no effect.

Please, can anyone tell me why we are getting this implied rule here? How can we enforce URL filtering policy on proxied traffic again?

Re: Explicit proxy traffic accepted via implied rule 0

G_W_Albrecht — Fri, 02 Jul 2021 12:54:31 GMT

sk110013 - How to configure Check Point Security Gateway as HTTP/HTTPS Proxy has a comment that seems relevant:

Application & URL Filtering with a single interface

When Security Gateway is configured as HTTP/HTTPS Proxy with a single interface, define the relevant rules in 'Application & URL Filtering' policy as follows: Source - 'Any'; Destination - 'Any'.

Refer to sk80340 Applications and/or URL Filtering Categories are not blocked when Security Gateway is configured as HTTP Proxy with a single interface.

Re: Explicit proxy traffic accepted via implied rule 0

Undel — Mon, 05 Jul 2021 08:32:32 GMT

I don't get it.

If we make URL filtering rules with source:Any and destination:Any - how can we block or deny something for specific users,groups, hosts,networks?

Re: Explicit proxy traffic accepted via implied rule 0

Wolfgang — Mon, 05 Jul 2021 09:15:49 GMT

@G_W_Albrecht mentioned behaviour is problematic with "Internet" as destination. You can use any as destination and defining your "URLs" in the service/application field.

As another solution you can define your Application-layer rule with source your_client_networks and destination your proxy_IP and your "URLs" in the service/application field.

In my opinion I would suggest creating a new layer for "Application/URL-filter" and add them as inline layer to the rule allowing the traffic from clients to the proxy.

Re: Explicit proxy traffic accepted via implied rule 0

AykutYILMAZ — Thu, 23 Dec 2021 06:03:43 GMT

Hi,

Any updates this topic? we are facing same problem after upgrade.

Thanks.

Re: Explicit proxy traffic accepted via implied rule 0

_Mike_ — Mon, 24 Jan 2022 18:58:20 GMT

Curious if you figured out a solution/fix for this one as I am in a similar boat.