topic Still drop in Firewall and Security Management

Still drop

Moudar — Wed, 13 Dec 2023 07:31:16 GMT

Hi,

I have created a rule to allow all IPads to reach to .apple.com domain. The problem is that not all IPads are reaching to that domain, but some still drop, this is my rule:

Source: Ipad network

destination: .apple.com domain

services and application: any

Action:accept

Track:log

The IPad network is 10.10.32.0/19. After adding that rule some IPads are accepted to reach .apple.com:

And some still drop:

So why some are still dropping? They are reaching to the Cleanup rule 59.12, where 59.3 is to accept all connections to Apple?!

59 is an Inline layer where IPad network is in the source of it.

What do I miss here?!

Re: Still drop

G_W_Albrecht — Wed, 13 Dec 2023 09:48:30 GMT

https://community.checkpoint.com/t5/Security-Gateways/Apple-and-HTTPS-Inspection/m-p/176039

Re: Still drop

the_rock — Wed, 13 Dec 2023 11:49:24 GMT

What @G_W_Albrecht is your best process to follow...now, IF you dont use urlf blade, then domain objects is fine, but make sure it says .*.apple.com and fqdn option is unchecked, otherwise, it may not match all needed sub-domains.

Andy

Re: Still drop

Moudar — Wed, 13 Dec 2023 12:06:39 GMT

When trying to make it *.apple.com i get this:

Now my domain object looks like this:

Re: Still drop

Moudar — Wed, 13 Dec 2023 12:08:52 GMT

What if URL and application blades are active, is there any better way to do that ?

Re: Still drop

the_rock — Wed, 13 Dec 2023 12:09:21 GMT

Maybe you missed . in my post : -)

I mentioned .*.apple.com, but you can also do .*apple.com

Every domain object MUST start with .

Hope that helps

Andy

Please refer to below link:

https://support.checkpoint.com/results/sk/sk120633

Re: Still drop

the_rock — Wed, 13 Dec 2023 12:10:47 GMT

Yes, if those are enabled, please follow what @G_W_Albrecht suggested.

Andy

Re: Still drop

Moudar — Wed, 13 Dec 2023 12:24:19 GMT

Now it looks like this:

But still have drops!

I don't really understand what @G_W_Albrecht suggestion is?!

How should I use app and url blades to achieve the same?

Re: Still drop

the_rock — Wed, 13 Dec 2023 12:29:11 GMT

Just allow 17.0.0.0/8 subnet, that will fix it, as thats what Apple uses.

https://news.ycombinator.com/item?id=3341349

Otherwise, make sure urlf and appc blades are enabled and follow what Guenther suggested, screenshots are there, its pretty straight forward...you need to use built in applications in smart console, just type apple when adding it in the rule and bunch of stuff will pop up.

Andy

Re: Still drop

the_rock — Wed, 13 Dec 2023 12:31:44 GMT

Also, as per below

https://developer.apple.com/forums/thread/44549

Re: Still drop

Moudar — Wed, 13 Dec 2023 12:55:29 GMT

It works fine now with 17.0.0.0/8

URL and application, do you mean enable all these?

Re: Still drop

G_W_Albrecht — Wed, 13 Dec 2023 13:07:50 GMT

Could well be that only using 17.0.0.0/8 works for you, i would try before doing any other configuration !

Re: Still drop

the_rock — Wed, 13 Dec 2023 13:11:22 GMT

Not really, if that range works, then its good. I would leave it as is then.

Andy