topic Re: Implied rule 0 allowed http & https to external gw interface IP in Firewall and Security Management

Implied rule 0 for external gw interface IP

Kid555 — Wed, 12 Jul 2023 11:46:51 GMT

Hi All,

We have an issue where external IPs are allowed to access my gateway.

We tried the KB below, where we change it to "Through internal interfaces" but the traffic is still allowed.

https://support.checkpoint.com/results/sk/sk105740

We also tried the sk105740, we have followed this alternative solution to adding the IOC IP address into the SAM rule but however, the issue is not resolved.

Refer to the attached log that shows external IP allowed to my external Gateway IP via port 443

Re: Implied rule 0 allowed http & https to external gw interface IP

PhoneBoy — Sat, 08 Jul 2023 05:44:10 GMT

How precisely did you “add the IOC IP address into the SAM rule”?
Did you try setting fw_ignore_before_drop_rules?
Instead of a SAM rule, you can use: https://support.checkpoint.com/results/sk/sk112454

Re: Implied rule 0 allowed http & https to external gw interface IP

Tal_Paz-Fridman — Sat, 08 Jul 2023 10:01:52 GMT

Please also look at sk180808 https://support.checkpoint.com/results/sk/sk180808

Security Gateway accepts HTTP traffic by an implied rule for its HTTP Web Portals, although there is an explicit rule that drops this HTTP traffic

Re: Implied rule 0 allowed http & https to external gw interface IP

Kid555 — Sat, 08 Jul 2023 13:34:01 GMT

Hi, how about https traffic coming from the outside? From the sk, I see this is only for http

Re: Implied rule 0 allowed http & https to external gw interface IP

Tal_Paz-Fridman — Sat, 08 Jul 2023 17:17:27 GMT

I will ask the relevant owner to see what they can add.

Re: Implied rule 0 allowed http & https to external gw interface IP

Kid555 — Sat, 08 Jul 2023 22:15:48 GMT

fw_ignore_before_drop_rules

Does this cause any impact to my production or require any reboot?

Re: Implied rule 0 allowed http & https to external gw interface IP

PhoneBoy — Sun, 09 Jul 2023 15:26:36 GMT

Should not, but as with any change, you may want to test it in a maintenance window.

Re: Implied rule 0 allowed http & https to external gw interface IP

Kid555 — Sun, 09 Jul 2023 23:38:34 GMT

As per https://support.checkpoint.com/results/sk/sk105740. I don't see the steps to change the setting fw_ignore_before_drop_rules. Do you have the steps?

Re: Implied rule 0 allowed http & https to external gw interface IP

Kid555 — Mon, 10 Jul 2023 06:25:53 GMT

Hi, I check through.

Based on this: https://support.checkpoint.com/results/sk/sk180808

What is the different between value 0 and 1. Seems like it is the same meaning

Re: Implied rule 0 allowed http & https to external gw interface IP

Tal_Paz-Fridman — Mon, 10 Jul 2023 06:37:35 GMT

Adding @YosiHavilo to answer

Re: Implied rule 0 allowed http & https to external gw interface IP

_Val_ — Mon, 10 Jul 2023 08:46:57 GMT

Do you use any of the multi-portal features, including MAB? It might be, your features require HTTP/HTTPS access on the external interfaces.

Re: Implied rule 0 allowed http & https to external gw interface IP

Kid555 — Mon, 10 Jul 2023 09:19:50 GMT

No I don't think so. But I tried follow this sk105740 to change the accessibility to "through internal interface" but I still see traffic allowed coming from external traffic to my external gateway.

Re: Implied rule 0 allowed http & https to external gw interface IP

PhoneBoy — Mon, 10 Jul 2023 22:33:40 GMT

In the SK I linked, it says: to configure the parameter to survive reboot - refer to sk26202.
It also provides instructions to change on the fly.

Re: Implied rule 0 allowed http & https to external gw interface IP

YosiHavilo — Tue, 11 Jul 2023 15:55:16 GMT

Regarding sk180808

It can be http or https , i will ask to fix the Sk .

i will explain a bit about the 2 options :

Currently there are 2 "before drop" implied rules, both implied rules can allow connections to the Security Gateway on port 443 or 80

enable_portal_http (MULTIPORTAL)
enable_tcpt (TCP_TUNNELING)

it mean that in case we have a drop we check if we match the implied rule

in sk180808 , you can change the before drop to before last

it mean that in case this connection is drop on the rulebase (except the cleanup rule) , GW will drop the connection , in case the connection hit the cleanup rule, we will see if it match the implied rule .

when you use the fw_ignore_before_drop_rules , this is like you disable both rules

in this case you must create an implicit rule instead of the implied rule .

Re: Implied rule 0 allowed http & https to external gw interface IP

Kid555 — Wed, 12 Jul 2023 07:40:30 GMT

Hi Yosi,

for my understanding, am i right on the below,

Based on sk180808 , you can change the before drop (“0”) to before last (“1”).

If the value is “1”, when traffic hit onto one of the explicit drop rules (NOT the default cleanup rule), gateway will drop the connection.

If the value is “0”, when the traffic hit onto the default cleanup rule, then it match the implied rule (multiportal).

Re: Implied rule 0 allowed http & https to external gw interface IP

YosiHavilo — Wed, 12 Jul 2023 08:50:53 GMT

If the value is “1”, when traffic hit onto one of the explicit drop rules (NOT the default cleanup rule), gateway will drop the connection ,when the traffic hit onto the default cleanup rule, then it match the implied rule (multiportal)..

If the value is “0”, when the traffic drop rule, then it match the implied rule (multiportal).

Re: Implied rule 0 allowed http & https to external gw interface IP

Kid555 — Wed, 12 Jul 2023 08:54:43 GMT

"when the traffic hit onto the default cleanup rule, then it match the implied rule (multiportal).."

For the above added, this only happens if I do not have an explicit drop rule (not the cleanup rule) right?

Re: Implied rule 0 allowed http & https to external gw interface IP

YosiHavilo — Wed, 12 Jul 2023 15:59:36 GMT

correct

Re: Implied rule 0 allowed http & https to external gw interface IP

Kid555 — Wed, 12 Jul 2023 23:41:45 GMT

Understand! Can i also check if those commands work on R80.30 Take 251?