topic Re: External Gateway 80/443 and Implied Rules in Firewall and Security Management

External Gateway 80/443 and Implied Rules

VikingsFan — Wed, 07 Aug 2024 11:33:45 GMT

We're building a new R81.20 Take 76 cluster and have moved to the newer way of geo blocking and using the access rules instead of using the old geo block module. What we've noticed is that countries we're wanting to block are getting to 80/443 due to implied rules. I've dug through the forums and have tried everything I can find and I'm still seeing implied rules allowing traffic to our gateway IPs. What am I missing? Here are the things I've tried/done so far:

1. Went into the Global Properties and unchecked Accept Control Connections.

2. Went into the SAML Portal cluster property and set to 'According to Firewall Policy'

3. Followed sk180808 which I found from this other post and felt like would be the winner but it didn't work. It doesn't say I have to restart gateways but when I grep IMPLIED_RULES_SET_BEFORE_LAST $MDS_FWDIR/conf/cpmEnvVars.conf I get the proper value returned. Post: https://community.checkpoint.com/t5/Security-Gateways/Implied-rule-0-for-external-gw-interface-IP/m-p/185949

Thanks!

Re: External Gateway 80/443 and Implied Rules

Chris_Atkinson — Wed, 07 Aug 2024 13:57:50 GMT

Did you also try the other SK referenced there in the same thread.

Which kernel parameters did you set where - mgmt vs gw?

How does the policy look, using any layers etc?

Re: External Gateway 80/443 and Implied Rules

VikingsFan — Wed, 07 Aug 2024 14:08:33 GMT

Which SK, SK105740 ? I did follow that one up to changing the GUI settings. I did not play with the fw_ignore_before_drop_rules mentioned near the bottom.

On SK180808 I ran the two commands on the Mgmt and installed policy afterwards.

$MDS_FWDIR/scripts/reload_env_vars.sh -e "IMPLIED_RULES_SET_BEFORE_LAST=1"
$MDS_FWDIR/scripts/override_server_setting.sh -e IMPLIED_RULES_SET_BEFORE_LAST 1

Policy is simple. Single Security layer and first rule is the country geo block.

So recommended to try the fw_ignore_before_drop_rules kernel change on the two gateways in the cluster? If that works, do I need to back out the change made in SK180808?

Re: External Gateway 80/443 and Implied Rules

Lesley — Wed, 07 Aug 2024 18:13:40 GMT

What stuff / blades you have enabled? Think about VPN clients, site to site VPN, MAB IA maybe GAIA portal on this port?

Re: External Gateway 80/443 and Implied Rules

VikingsFan — Wed, 07 Aug 2024 19:52:18 GMT

We have all blades except Mobile Access and Content Awareness enabled under 'Access Control' and Everything under Advanced except QOS. I can try the fw_ignore_before_drop_rules but was waiting to see if Chris confirmed.

Re: External Gateway 80/443 and Implied Rules

Lesley — Wed, 07 Aug 2024 20:15:02 GMT

Do not block 443 you will break vpn clients, see also https://support.checkpoint.com/results/sk/sk52421

Re: External Gateway 80/443 and Implied Rules

VikingsFan — Wed, 07 Aug 2024 20:16:34 GMT

Understood. I don't want to completely block 443. I'm attempting to Geo Block via the Access Policy but implied rules are letting in China/Russia to 80/443. I want to block them. I have an allow rule underneath allowing from everyone else.

Re: External Gateway 80/443 and Implied Rules

Lesley — Wed, 07 Aug 2024 20:39:59 GMT

you also changed to policy in here? SmartConsole > Platform Portal > Accessibility > Edit.

Re: External Gateway 80/443 and Implied Rules

CheckPointerXL — Wed, 07 Aug 2024 22:47:07 GMT

Did you evaluate fwaccel dos rules? https://community.checkpoint.com/t5/Security-Gateways/Block-VPN-Traffic-by-Country/td-p/172695

As a possible workaround, dnat pubblic to fake ip by sourcing the country could be an option...not sure it's a working method

Re: External Gateway 80/443 and Implied Rules

VikingsFan — Thu, 08 Aug 2024 11:38:19 GMT

Have not gone that route yet as I was hoping to be able to leverage Access Policy to control the traffic. According to that post, PhoneBoy made it sound like it's impossible to stop the implied rules from hitting but reading sk180808 it does sound like it's possible. Confused.

Re: External Gateway 80/443 and Implied Rules

Lesley — Thu, 08 Aug 2024 14:05:02 GMT

100% sure you can do it, this is a log from one of my customers:

Time: 2024-08-08T13:56:36Z
Interface Direction: inbound

Service ID: https
Source: IP address
Source Port: 56002
Destination: Firewall IP
Destination Port: 443
IP Protocol: 6
Protocol: HTTPS
Action: Accept
Type: Connection
Policy Date: 2024-08-08T08:35:05Z
Blade: Firewall
Origin: FW
Service: TCP/443
Product Family: Access
Logid: 0
Access Rule Name: Name
Access Rule Number: 6
Description: https Traffic Accepted

Do this one i posted before:

you also changed to policy in here? SmartConsole > Platform Portal > Accessibility > Edit.

Re: External Gateway 80/443 and Implied Rules

VikingsFan — Thu, 08 Aug 2024 19:01:19 GMT

Hi Lesley,

If I go to Platform Portal, Accessibility is grayed out but does say 'According to Firewall Policy'. Maybe because we changed the Portal to a non-standard port (not 443)?

So update on this... I haven't made any change since setting the Portal, tweaking the Control setting under the blades and running the SK180808 script. I checked this morning and traffic from the geo-blocked countries began dropping around 11:30AM. I'm not sure why unless the settings take some time to go into effect? I'm going to keep an eye on it but for now, the geo block is working.

Re: External Gateway 80/443 and Implied Rules

PabloBarrera — Sun, 04 May 2025 05:00:34 GMT

Did it finally worked or you moved to something else?