https://community.checkpoint.com/t5/Firewall-and-Security-Management/Create-firewall-rule-for-internet-access-without-using-any-as/m-p/219236#M41896 <P>You can do it a little differently to achieve the same thing by creating a 'Group With Exclusions'. Attached are how I did it. You can add any public IP ranges that are also part of your internal/DMZ network to the 'except' group as well. This way the group itself is 'anything except the defined IP ranges' rather than negating the whole destination cell in the rule.</P> Mon, 01 Jul 2024 06:32:29 GMT emmap 2024-07-01T06:32:29Z https://community.checkpoint.com/t5/Firewall-and-Security-Management/Create-firewall-rule-for-internet-access-without-using-any-as/m-p/219195#M41891 <P>Hi, I am tightening up our rulebase for some new internal network that I have created</P><P>&nbsp;</P><P>I have hit the issue that I several rules that allow certain hosts internet access via having ANY in the destination.&nbsp; This now affects my new subnets as a possible way to access them as matching the ANY destination.</P><P>Does anyone have a clever suggestion of a way around this without rulebase changes such as a block rule before all affected rules hits that first then gets denied ( this has ramifications for rule ordering for the allowed accesses )?</P><P>The internet access need to be unrestricted hence any so restricting that is not an option</P><P>May Thanks</P><P>&nbsp;</P><P>Neil</P><P>Clustered Checkpoint R81.10 Take 150 (x2 devices)</P><P>&nbsp;</P> Sat, 29 Jun 2024 07:56:43 GMT https://community.checkpoint.com/t5/Firewall-and-Security-Management/Create-firewall-rule-for-internet-access-without-using-any-as/m-p/219195#M41891 Nelly 2024-06-29T07:56:43Z https://community.checkpoint.com/t5/Firewall-and-Security-Management/Create-firewall-rule-for-internet-access-without-using-any-as/m-p/219197#M41893 <P>There was a discussion about defining Internet a few years back.</P> <P>&nbsp;</P> <P><A href="https://community.checkpoint.com/t5/Management/Properly-defining-the-Internet-within-a-security-policy/m-p/10561" target="_blank" rel="noopener">https://community.checkpoint.com/t5/Management/Properly-defining-the-Internet-within-a-security-policy/m-p/10561</A></P> <P>So you have many ways to approach this. Personally, I tend to use private or internal networks in a group and negate them as destination, but you could use the Internet object or any other discussed method depending on your topology.</P> Sat, 29 Jun 2024 08:51:01 GMT https://community.checkpoint.com/t5/Firewall-and-Security-Management/Create-firewall-rule-for-internet-access-without-using-any-as/m-p/219197#M41893 Alex- 2024-06-29T08:51:01Z https://community.checkpoint.com/t5/Firewall-and-Security-Management/Create-firewall-rule-for-internet-access-without-using-any-as/m-p/219198#M41894 <P>I do the same with the negate method</P> Sat, 29 Jun 2024 08:59:14 GMT https://community.checkpoint.com/t5/Firewall-and-Security-Management/Create-firewall-rule-for-internet-access-without-using-any-as/m-p/219198#M41894 Lesley 2024-06-29T08:59:14Z https://community.checkpoint.com/t5/Firewall-and-Security-Management/Create-firewall-rule-for-internet-access-without-using-any-as/m-p/219204#M41895 <P>Super easy, this is what you do. Edit policy layer, then network layer, enable urlf blade, save, publish, add Internet object as dst, publish, install policy.</P> <P>Thats it <span class="lia-unicode-emoji" title=":slightly_smiling_face:">🙂</span></P> <P>&nbsp;</P> <P>Forgot to add, make sure urlf + appc blades are enabled on gateway object.</P> <P>Andy</P> Sat, 29 Jun 2024 20:42:46 GMT https://community.checkpoint.com/t5/Firewall-and-Security-Management/Create-firewall-rule-for-internet-access-without-using-any-as/m-p/219204#M41895 the_rock 2024-06-29T20:42:46Z https://community.checkpoint.com/t5/Firewall-and-Security-Management/Create-firewall-rule-for-internet-access-without-using-any-as/m-p/219236#M41896 <P>You can do it a little differently to achieve the same thing by creating a 'Group With Exclusions'. Attached are how I did it. You can add any public IP ranges that are also part of your internal/DMZ network to the 'except' group as well. This way the group itself is 'anything except the defined IP ranges' rather than negating the whole destination cell in the rule.</P> Mon, 01 Jul 2024 06:32:29 GMT https://community.checkpoint.com/t5/Firewall-and-Security-Management/Create-firewall-rule-for-internet-access-without-using-any-as/m-p/219236#M41896 emmap 2024-07-01T06:32:29Z https://community.checkpoint.com/t5/Firewall-and-Security-Management/Create-firewall-rule-for-internet-access-without-using-any-as/m-p/219308#M41914 <P>Why not use ExternalZone?<BR />This should be associated with your external interface(s).<BR />Available for R8x gateways.</P> Mon, 01 Jul 2024 18:53:00 GMT https://community.checkpoint.com/t5/Firewall-and-Security-Management/Create-firewall-rule-for-internet-access-without-using-any-as/m-p/219308#M41914 PhoneBoy 2024-07-01T18:53:00Z https://community.checkpoint.com/t5/Firewall-and-Security-Management/Create-firewall-rule-for-internet-access-without-using-any-as/m-p/219366#M41927 <P>VPN-s go via internet, if i use external zone will this be affected ?</P> Tue, 02 Jul 2024 09:13:20 GMT https://community.checkpoint.com/t5/Firewall-and-Security-Management/Create-firewall-rule-for-internet-access-without-using-any-as/m-p/219366#M41927 Nelly 2024-07-02T09:13:20Z https://community.checkpoint.com/t5/Firewall-and-Security-Management/Create-firewall-rule-for-internet-access-without-using-any-as/m-p/219371#M41929 <P>If its tied to your external interface, then it wont work in such scenario.&nbsp;</P> <P>Andy</P> Tue, 02 Jul 2024 10:16:06 GMT https://community.checkpoint.com/t5/Firewall-and-Security-Management/Create-firewall-rule-for-internet-access-without-using-any-as/m-p/219371#M41929 the_rock 2024-07-02T10:16:06Z https://community.checkpoint.com/t5/Firewall-and-Security-Management/Create-firewall-rule-for-internet-access-without-using-any-as/m-p/219417#M41942 <P>For IPv4, Internets_Except should probably also contain</P> <UL> <LI>0.0.0.0/8 - reserved for the local network</LI> <LI>100.64.0.0/10 - private network for CG NAT (<A href="https://datatracker.ietf.org/doc/html/rfc6598" target="_self">RFC 6598</A>)</LI> <LI>127.0.0.0/8 - loopback</LI> <LI>169.254.0.0/16 - link local</LI> <LI>192.0.0.0/24 - private network (Dual Stack Lite; <A href="https://datatracker.ietf.org/doc/html/rfc6333" target="_self">RFC 6333</A>)</LI> <LI>192.0.2.0/24 - reserved for documentation (<A href="https://datatracker.ietf.org/doc/html/rfc5737" target="_self">RFC 5737</A>)</LI> <LI>192.88.99.0/24 - reserved (<A href="https://datatracker.ietf.org/doc/html/rfc7526" target="_self">RFC 7526</A>; originally for 6to4 relay; while that has been deprecated, the block has not been released)</LI> <LI>198.18.0.0/15 - private network for benchmarking performance (<A href="https://datatracker.ietf.org/doc/html/rfc2544" target="_self">RFC 2544</A>)</LI> <LI>198.51.100.0/24 - reserved for documentation (<A href="https://datatracker.ietf.org/doc/html/rfc5737" target="_self">RFC 5737</A>)</LI> <LI>203.0.113.0/24 - reserved for documentation (<A href="https://datatracker.ietf.org/doc/html/rfc5737" target="_self">RFC 5737</A>)</LI> <LI>224.0.0.0/4 - multicast (there's also a multicast network reserved for documentation:&nbsp;233.252.0.0/24, <A href="https://datatracker.ietf.org/doc/html/rfc6676" target="_self">RFC 6676</A>)</LI> <LI>240.0.0.0/4 - reserved experimental (<A href="https://datatracker.ietf.org/doc/html/rfc3232" target="_self">RFC 3232</A>)</LI> </UL> <P>None of these destinations are allowed to refer to real things on the public Internet.</P> Tue, 02 Jul 2024 13:39:18 GMT https://community.checkpoint.com/t5/Firewall-and-Security-Management/Create-firewall-rule-for-internet-access-without-using-any-as/m-p/219417#M41942 Bob_Zimmerman 2024-07-02T13:39:18Z