topic Re: Gateway to any destination access rule in Firewall and Security Management

Gateway to any destination access rule

LostBoY — Tue, 15 Feb 2022 16:59:16 GMT

I have an ACL rule which allows access from Gateway towards any destination on Https and DNS ports..i am using this for Gateway updates.

In a recent audit ..auditor is asking why "any" access is allowed here .. i remember speaking with a Checkpoint engineer some time back and he stated that Gateway to any access is not an issue in an ACL on specific ports .. is there any documentation in support of this ? or do i need to harden this rule ?

Re: Gateway to any destination access rule

the_rock — Tue, 15 Feb 2022 17:17:35 GMT

That can certainly be debated...if support told you that sort of rule is not an issue, it really depends what context they may had been referring to. Personally, but this is just me, I would make sure that access from external to the firewall is hardened and configured as per your corporate policy, but as far as other way around, I dont see logical reasoning why you would have rule like that. Is there something specific that your firewall has to reach to?

Re: Gateway to any destination access rule

K_montalvo — Tue, 15 Feb 2022 20:16:34 GMT

Hello buddy,

Here, you can use updatable objects and needs to have access to these specific domains updates.checkpoint.com and dl3.checkpoint.com (apply these rule in top of the existing one with any and tested checking for updates, confirm the new rule logged the traffic and see if theres any other traffic that's being logged on the old rule that stills need to be permitted creating another new rule, if no traffic is logged for 48 hours then > disabled that rule for 1 week and if no issues has been presented deleted.

Always remember to take snapshot in

https://supportcenter.checkpoint.com/supportcenter/portal?eventSubmit_doGoviewsolutiondetails=&solutionid=sk131852&partition=Basic&product=Security

P.D

Like my buddy @the_rock mentioned that all depends on the regulation you need to be in compliance or any internal company policy that does not permit the famous "nefarius any rules" AKA High Risk.

Hope it helps!

Re: Gateway to any destination access rule

the_rock — Tue, 15 Feb 2022 20:53:54 GMT

Also, I believe its related to your earlier post on sort of same topic...

https://community.checkpoint.com/t5/Security-Gateways/Disable-Outgoing-Packets-from-Gateway/m-p/140413#M24889

Re: Gateway to any destination access rule

Danny — Tue, 15 Feb 2022 22:13:29 GMT

"Any" definitions shouldn't be used in firewall security policies as "Any" doesn't make clear what is actually meant. "Any" is not just the Internet, it's also all internal, DMZ, VPN partners, Home Offices and more. "Any" can also be different depending of the firewall vendor as some have exclusions from "Any", others work with a Zone-based model and define "Any" only for lower security zones, and so on...

I recommend to check your real demand. You wrote: "i am using this for Gateway updates". Define what that means. If your firewall updates time via DNS from an internal DNS server only, you should replace "Any" with that specific internal object/range/network. If your firewall updates via HTTPS from the internet, then "Any" should be replaced with your object representing the internet.

Additional resources:

sk64143 - Tips to optimize your security management database
sk102812 - Best Practices - Firewall Policy Management
sk112576 - In Unified Policy, when using "Any" in Services & Applications column in Rule Base, not all applications appear
Admin Guide - Creating an Access Control Policy

Re: Gateway to any destination access rule

the_rock — Tue, 15 Feb 2022 23:15:43 GMT

@Danny , as always, gave you FANTASTIC guidance. He is 100% correct...yes, Im positive that all of us are "guilty" of using "any" in the rules way more than what we should, but he makes an excellent point. Any can represent, dmz, internal, external, anything on the Internet, whole "kit & caboodle". Honestly, I would strongly urge you to make use of security zones available in R80+. Create layered sections that represent specific zones (dmz, internal, external) and that way, your rule base will be way more secure.

Andy

Re: Gateway to any destination access rule

LostBoY — Wed, 16 Feb 2022 07:36:39 GMT

Yes..in this post i was trying to get around the implicit rule in place..and this is the reason i was exploring an explicit rule possibility but i get your point here..i can harden the destinations to be reached

Re: Gateway to any destination access rule

LostBoY — Wed, 16 Feb 2022 07:38:08 GMT

Got your point...i have been observing the logs since yesterday and as it is an AWS firewall it is reaching to AWS DNS for name resolution and for updates i can direct it to an interal proxy hence mitingating this "any"

Re: Gateway to any destination access rule

LostBoY — Wed, 16 Feb 2022 07:39:56 GMT

Thank you ..i think i have 2 options here looking at this

1)allow updatable checkpoint update object

2)Enable Update via proxy

This will help to get around this any rule.. Thanks again for the guidance