topic Re: Implied Rules accepting HTTP/HTTPS traffic. How to disable that rule? in Firewall and Security Management

Implied Rules accepting HTTP/HTTPS traffic. How to disable that rule?

nemezis_rock — Thu, 20 Jul 2023 07:34:20 GMT

When publishing services via Reverse Proxy and creating access rule like:

Source: External IP
Dst: Domain object .test.domain.com
Service: http, https
Action: Accept

- it works actually and traffic from source goes through this rule.

BUT!

Any other sources also passes and goes to test.domain.com through Implied Rule 0.

Any suggections regarding how to block/disable/delete that RULE wich accepts HTTP/HTTPS traffic.

When changing the Action to Drop it also uses Implied Rule to bypass......................................

Re: Implied Rules accepting HTTP/HTTPS traffic. How to disable that rule?

_Val_ — Thu, 20 Jul 2023 07:33:40 GMT

First, Temur, an admin note. This is a professional forum, please try expressing yourself in a more professional manner.

Do you have a proper cleanup rule in your policy? How does your access policy actually look?

Re: Implied Rules accepting HTTP/HTTPS traffic. How to disable that rule?

nemezis_rock — Thu, 20 Jul 2023 08:40:35 GMT

Dear @_Val_ ,

Thank you for reply.

I did not find clear information about Reverse Proxy, there is a little information regarding how to enable it, create proxy rules and Nothing about access rules. So I started to get nervous. Also Access Rules are working in strange manner. Read carefully what I wrote.

Incoming HTTP/HTTPS requests to Services Published via Reverse Proxy (example.mydomain.com --> internal.server:443) bypasses Access Rule via Implied Rule.

Re: Implied Rules accepting HTTP/HTTPS traffic. How to disable that rule?

nemezis_rock — Thu, 20 Jul 2023 09:02:19 GMT

I've send you PM where I provided screenshots and more detailed information, Thanks.

Re: Implied Rules accepting HTTP/HTTPS traffic. How to disable that rule?

Tal_Paz-Fridman — Thu, 20 Jul 2023 09:15:53 GMT

For how to handle Implied rules bypassing HTTP/HTTPS there are a couple of SKs you can use:

sk66030 Connection to Security Gateway on TCP Port 80 and TCP Port 443 is accepted by Implied Rule 0:

https://support.checkpoint.com/results/sk/sk66030

sk180808 Security Gateway accepts HTTP/HTTPS traffic by an implied rule for its HTTP/HTTPS Web Portals, although there is an explicit rule that drops this HTTP/HTTPS traffic

https://support.checkpoint.com/results/sk/sk180808

There are also several SKs explaining how to configure Reverse Proxy

Re: Implied Rules accepting HTTP/HTTPS traffic. How to disable that rule?

_Val_ — Thu, 20 Jul 2023 09:18:32 GMT

I do read very carefully what you wrote.

The reverse proxy is a functionality of Mobile Access Blade, and it is well documented in the standard admin guide (example) and in the SecureKnowled article. It is okay that it accepts web connections according to the proxy rules, on the implied rule 0.

However, you are claiming in your case services other than HTTP/HTTPS are also accepted on Rule 0. If this is indeed the case, please show logs. Also, if it happens, there are only two possibilities: either your Access Policy, or Proxy Policy, is misconfigured.

Re: Implied Rules accepting HTTP/HTTPS traffic. How to disable that rule?

nemezis_rock — Thu, 20 Jul 2023 18:02:45 GMT

Hi @Tal_Paz-Fridman

Thank you so much for provided sk's. First sk66030 is not relevant for me. I have R81.10 with JHF take 95. So i tried to use the second sk180808. When I performed Configure the value "1" for the new environment variable:

$MDS_FWDIR/scripts/reload_env_vars.sh -e "IMPLIED_RULES_SET_BEFORE_LAST=1"
$MDS_FWDIR/scripts/override_server_setting.sh -e IMPLIED_RULES_SET_BEFORE_LAST 1

I got expected output:

Make sure the new variable value is loaded successfully:

grep IMPLIED_RULES_SET_BEFORE_LAST $MDS_FWDIR/conf/cpmEnvVars.conf

Expected output:

IMPLIED_RULES_SET_BEFORE_LAST=1;export IMPLIED_RULES_SET_BEFORE_LAST

But it's not worked for me. It passes traffic via Implied Rule.

Should this command - grep IMPLIED_RULES_SET_BEFORE_LAST $MDS_FWDIR/conf/cpmEnvVars.conf -give the same output when it's performed on GWs after policy installation? If so, then it did not work, because I got an empty response after putting command on GW. Is it ok if i will try to do same steps on GWs?

Re: Implied Rules accepting HTTP/HTTPS traffic. How to disable that rule?

Wolfgang — Thu, 20 Jul 2023 18:17:48 GMT

@nemezis_rock I understand your way to solve your problem. But as I wrote in my PM you can‘t use access rules to restrict access for Reverse Proxy rules.

Re: Implied Rules accepting HTTP/HTTPS traffic. How to disable that rule?

nemezis_rock — Mon, 24 Jul 2023 13:29:01 GMT

Dear @Wolfgang ,

As I said Implied Rule was the problem)

And https://support.checkpoint.com/results/sk/sk105740 helped me. Now I can give access to my Reverse Proxied services via Security Policies!

Hope it will work for you too!

But the only thing, how will it affect on GW? Can some expert give an opinion?

Re: Implied Rules accepting HTTP/HTTPS traffic. How to disable that rule?

PhoneBoy — Mon, 24 Jul 2023 20:39:15 GMT

To answer your question about grep IMPLIED_RULES_SET_BEFORE_LAST $MDS_FWDIR/conf/cpmEnvVars.conf being viewable on a gateway: no.
These are flags set for the cpm process, which only exists on the management and will impact policy compilation.

Re: Implied Rules accepting HTTP/HTTPS traffic. How to disable that rule?

Wolfgang — Tue, 25 Jul 2023 18:35:23 GMT

@nemezis_rock can you please share your ReverseProxy rules and the security policy. It will be very interesting how you solved the problem.

Re: Implied Rules accepting HTTP/HTTPS traffic. How to disable that rule?

nemezis_rock — Thu, 10 Aug 2023 11:20:32 GMT

Proxy Rules are simple. Just published some test123.mydomain.com and pointed it to internal server:

The main point here is to be able to restrict access to test123.mydomain.com. I've created domain object called .test123.mydomain.com. After, added new security access policy:

Source: US (updatable object or anything you want)
Destination: Domain Object (.test123.mydomain.com)
Application: HTTP/HTTPS
Action: Accept

Cleanup Rule: Drop All

With this configuration any http request from US ip addresses to test123.mydomain.com are accepted. Any others are dropped.

Re: Implied Rules accepting HTTP/HTTPS traffic. How to disable that rule?

Wolfgang — Thu, 17 Aug 2023 06:21:58 GMT

Thanks for sharing @nemezis_rock

I understand your solution and it's working for one URL. But with more then one this does not solve your initial question. ReverseProxy does only work on the main IP of the MOB-blade. All requests they should be handled by Reverseproxy must be sent to this IP. Meaning that every FQDN you will have to forwarded has to point to this IPaddress.

You can have more then one FQDN pointing to the same IP address. But if you use this FQDNs with an domainobject (FQDN enabled) int he rulebase they are always refenced to the same IP. As an result all your requests will be matched by your first rule with the domain object. The gateway creates the FQDN-IP address association at time of policy install and after a periodic time.

Another thing to be aware. With ReverseProxy you have to connections on the gateway:

External host => ReverseProxy on gateway

ReverseProxy on gateway => internal host

The internal host does not see the IP address of the external host, the connection from gateway to internal host has source IP of the gateways internal interface.

There's a main difference beetween the handling of FQDN objects and the URLs. I think what you need is an incoming URL-Filter rulebase for your ReverseProxy connections. But this is something what does not work with CheckPoints ReverseProxy solution.