topic Re: Indicator vs Implied rules in Firewall and Security Management

Indicator vs Implied rules

Dor_Marcovitch — Wed, 06 Jan 2021 12:47:14 GMT

hey,

anyone had a scenario in which he loaded an indicator file to block IP addresses and than keep seeing traffic from them accepted on implied rule?

i was wondering isn't indicator file should be "stronger" the implied rules ?

Re: Indicator vs Implied rules

_Val_ — Wed, 06 Jan 2021 14:12:56 GMT

Just to understand, are you referring to Thread Indicator file or something else?

Re: Indicator vs Implied rules

cyberluke365 — Thu, 19 Sep 2024 16:43:37 GMT

Hello @_Val_,

I'm replying to this (old) thread because I'd like to understand more about this topic: I have the same question of @Dor_Marcovitch.

Check Point version: R81.20

I have an External Indicator (global) defined in Threat Prevention blade, pointing to a text file hosted by an internal website (e.g. https://MySite.com/IoC.txt ). That file is listing public IP addresses that must be blocked (30 in total). The Test Feed is working fine (all IP addresses are discovered successfully).

In order to test the new IoC, I put the public IP address of my home computer in that list:

I expected that when attempting to reach the public IP address of the Check Point gateway from my home PC via a browser (https://<CheckPointPublicIP>), I would be blocked by Check Point. Instead, according to the SmartConsole logs, the traffic is marked as Accept by Implied Rule 0.
I assume, then, that the implied rules take precedence over everything else (?). If that's the case, how can I prevent/solve this?
I expected that when attempting to reach a public IP address of an internal website published via Check Point (NAT) from my home PC, I would be blocked by Check Point. However, according to the SmartConsole logs, the traffic is marked as Accepted by the corresponding Access Rule (allowing traffic from outside to the website).
I have a feeling that the Indicator might not be working, or the traffic isn't being blocked because there is no actual malicious activity (I'm simply accessing a website through a browser). What can you tell me about this?

Main goal is to block any IP address on the IoC list, always.

I also tried with Network Feed object put as Source in an Access Rule (destination Any), but, again, traffic from my home computer versus the public IP address of the Check Point gateway is not blocked due to Implied Rule 0 (like point 1); however, traffic versus internal website is blocked by the Access Rule matching Network Feed (that is good).

What about all points above ?

Thank you.

Re: Indicator vs Implied rules

PhoneBoy — Thu, 19 Sep 2024 22:23:09 GMT

For the first issue, see: https://support.checkpoint.com/results/sk/sk105740

For the second issue, what blades are active?
Network Feeds only require Firewall to be active, so it might be a better fit.

Re: Indicator vs Implied rules

cyberluke365 — Fri, 20 Sep 2024 07:35:14 GMT

Hello @PhoneBoy,

thank you for your reply.

About the first: The SK you mentioned seems to address the issue with the Implied Rule issue quite well happening for both Threat Indicators and Network Feeds (I will look into the matter further).

Network Feeds do their job blocking traffic versus NAT-ted websites (blocked by specific Access Rule).

Regarding the second:

Firewall
Application Control
URL Filtering
IPS
Anti-Bot
Anti-Virus
...

What is not clear now is why, using (custom) Threat Indicators, traffic coming from blocked IP versus NAT-ted websites is allowed.

Thank you very much.

Re: Indicator vs Implied rules

Timothy_Hall — Fri, 20 Sep 2024 12:58:31 GMT

Keep in mind that the IP address configured in your feed needs to be the Original, pre-NAT address to block properly. Just like in all Access Control and Threat Prevention policy layers, you need to match against the original IP addresses in the packet prior to any NAT operations. Trying to match and block a post-NAT IP address will not work.

Re: Indicator vs Implied rules

PhoneBoy — Fri, 20 Sep 2024 19:28:38 GMT

Pre-R81, we didn't block incoming traffic from the Custom Threat Indicator feeds, only the outbound traffic.
If that's still happening in R81+, it warrants a TAC case.