https://community.checkpoint.com/t5/Firewall-and-Security-Management/Security-Gateway-accepts-HTTP-HTTPS-traffic-by-implied-rule-for/m-p/192285#M67321 <P>The implied rules are what allow the traffic to TCP 80/443 in the first place.<BR />This option changes when those rules apply (either before the Access Policy or before the last explicitly configured rule).<BR />If you set this option to 1 and don't have a rule that blocks the traffic, the implied rule should still function.&nbsp;</P> Mon, 11 Sep 2023 18:23:01 GMT PhoneBoy 2023-09-11T18:23:01Z https://community.checkpoint.com/t5/Firewall-and-Security-Management/Security-Gateway-accepts-HTTP-HTTPS-traffic-by-implied-rule-for/m-p/192141#M67320 <P>Hello,</P> <P><SPAN>Re sk180808, can someone please confirm the following</SPAN></P> <P><A href="https://support.checkpoint.com/results/sk/sk180808" target="_blank" rel="noopener" data-aura-rendered-by="3367:0">https://support.checkpoint.com/results/sk/sk180808</A></P> <P><SPAN>We have specific http and https traffic e.g. SSL VPN traffic, destined to external gateway IPs that needs to be allowed. </SPAN></P> <P><SPAN>With option 1 configured, will this traffic be caught by an implied rule before hitting the last explicit rule (the last explicit rule in the rule-base is a clean up rule)? Or do I&nbsp;</SPAN><SPAN>need to define an explicit allow rule for this traffic before the explicit clean up rule?</SPAN></P> <P><SPAN>Regards,</SPAN></P> <P><SPAN>Simon</SPAN></P> Sun, 10 Sep 2023 23:28:53 GMT https://community.checkpoint.com/t5/Firewall-and-Security-Management/Security-Gateway-accepts-HTTP-HTTPS-traffic-by-implied-rule-for/m-p/192141#M67320 Simon_Macpherso 2023-09-10T23:28:53Z https://community.checkpoint.com/t5/Firewall-and-Security-Management/Security-Gateway-accepts-HTTP-HTTPS-traffic-by-implied-rule-for/m-p/192285#M67321 <P>The implied rules are what allow the traffic to TCP 80/443 in the first place.<BR />This option changes when those rules apply (either before the Access Policy or before the last explicitly configured rule).<BR />If you set this option to 1 and don't have a rule that blocks the traffic, the implied rule should still function.&nbsp;</P> Mon, 11 Sep 2023 18:23:01 GMT https://community.checkpoint.com/t5/Firewall-and-Security-Management/Security-Gateway-accepts-HTTP-HTTPS-traffic-by-implied-rule-for/m-p/192285#M67321 PhoneBoy 2023-09-11T18:23:01Z https://community.checkpoint.com/t5/Firewall-and-Security-Management/Security-Gateway-accepts-HTTP-HTTPS-traffic-by-implied-rule-for/m-p/192354#M67322 <P>Correct.</P> <P>Also TAC confirmed this option is only related to multi-portal traffic.</P> <P><SPAN>So if option 1 is enabled, malicious http/https traffic sourced from an external source IP destined to a gateway external IP portal URL will be dropped by explicit drop rules, all other http/https multi-portal traffic will be allowed by implied rule, before the last explicit drop rule (explicit cleanup).</SPAN></P> <P><SPAN>My other concern is still allowing&nbsp;SSL VPN traffic whereby the user is connecting using a client (not multi-portal traffic), but dropping malicious connections to gateway external IPs on http/https that are currently being accepted by implied rule.</SPAN></P> <P><SPAN>Is SSL VPN traffic whereby the user is connecting using a client caught by a different implied rule, in which case it should be unaffected? This SSL VPN client traffic is https, though TAC mentioned this could also be port 4500 which I've never seen (port 4500 generally used NAT traversal in IPSEC VPN).&nbsp;</SPAN></P> <P><SPAN>Or is this traffic not caught by a separate implied rule, and I will need to ensure I explicitly allow this traffic?</SPAN></P> Mon, 11 Sep 2023 23:50:09 GMT https://community.checkpoint.com/t5/Firewall-and-Security-Management/Security-Gateway-accepts-HTTP-HTTPS-traffic-by-implied-rule-for/m-p/192354#M67322 Simon_Macpherso 2023-09-11T23:50:09Z https://community.checkpoint.com/t5/Firewall-and-Security-Management/Security-Gateway-accepts-HTTP-HTTPS-traffic-by-implied-rule-for/m-p/192362#M67323 <P>I will let&nbsp;<a href="https://community.checkpoint.com/t5/user/viewprofilepage/user-id/7">@PhoneBoy</a>&nbsp;confirm 100%, but I believe that option is only related to 80/443 ports, not anything else...but, I could be mistaken.</P> <P>Andy</P> Tue, 12 Sep 2023 00:42:23 GMT https://community.checkpoint.com/t5/Firewall-and-Security-Management/Security-Gateway-accepts-HTTP-HTTPS-traffic-by-implied-rule-for/m-p/192362#M67323 the_rock 2023-09-12T00:42:23Z https://community.checkpoint.com/t5/Firewall-and-Security-Management/Security-Gateway-accepts-HTTP-HTTPS-traffic-by-implied-rule-for/m-p/192437#M67324 <P>Unless you’re running it on a different port, SSL VPN traffic also goes through MultiPortal.<BR />Which means you would need explicit rules to allow this traffic.</P> Tue, 12 Sep 2023 15:39:16 GMT https://community.checkpoint.com/t5/Firewall-and-Security-Management/Security-Gateway-accepts-HTTP-HTTPS-traffic-by-implied-rule-for/m-p/192437#M67324 PhoneBoy 2023-09-12T15:39:16Z https://community.checkpoint.com/t5/Firewall-and-Security-Management/Security-Gateway-accepts-HTTP-HTTPS-traffic-by-implied-rule-for/m-p/192469#M67325 <P>Including SSL VPN traffic where the user is connecting from a client?&nbsp;&nbsp;</P> Tue, 12 Sep 2023 23:34:04 GMT https://community.checkpoint.com/t5/Firewall-and-Security-Management/Security-Gateway-accepts-HTTP-HTTPS-traffic-by-implied-rule-for/m-p/192469#M67325 Simon_Macpherso 2023-09-12T23:34:04Z https://community.checkpoint.com/t5/Firewall-and-Security-Management/Security-Gateway-accepts-HTTP-HTTPS-traffic-by-implied-rule-for/m-p/192567#M67326 <P>Pretty sure any traffic destined to the gateway on port 443 will involve MultiPortal on some level.<BR />That would include SSL VPN traffic.</P> Wed, 13 Sep 2023 16:12:12 GMT https://community.checkpoint.com/t5/Firewall-and-Security-Management/Security-Gateway-accepts-HTTP-HTTPS-traffic-by-implied-rule-for/m-p/192567#M67326 PhoneBoy 2023-09-13T16:12:12Z https://community.checkpoint.com/t5/Firewall-and-Security-Management/Security-Gateway-accepts-HTTP-HTTPS-traffic-by-implied-rule-for/m-p/195406#M67327 <P>Hey, sorry to respond late to this, but just wondering...since customer is on R81.20 take 24, is rule enough to just block http access to the cluster, without modifying value listed in the sk?</P> <P>&nbsp;</P> <TABLE class="footnote" border="1" cellspacing="2" cellpadding="4"> <TBODY> <TR class="SubTitle" bgcolor="#ebebeb"> <TD>Variable Value</TD> <TD>Security Gateway Behavior</TD> </TR> <TR> <TD> <P>0</P> </TD> <TD>The Security Gateway / Cluster Member enforces the applicable implied rules for the Multi-Portal traffic before the explicit "Drop" rules (the "Before Drop" position).<BR />This is the default.</TD> </TR> <TR> <TD>1</TD> <TD>The Security Gateway / Cluster Member enforces the applicable implied rules for the Multi-Portal traffic before the last explicit rule (the "Before Last" position).</TD> </TR> </TBODY> </TABLE> <P>Cheers.</P> Tue, 17 Oct 2023 13:16:51 GMT https://community.checkpoint.com/t5/Firewall-and-Security-Management/Security-Gateway-accepts-HTTP-HTTPS-traffic-by-implied-rule-for/m-p/195406#M67327 the_rock 2023-10-17T13:16:51Z https://community.checkpoint.com/t5/Firewall-and-Security-Management/Security-Gateway-accepts-HTTP-HTTPS-traffic-by-implied-rule-for/m-p/195434#M67328 <P>This feature was added to R81.20 via JHF but is OFF by default.<BR />It must be explicitly configured per the SK.</P> Tue, 17 Oct 2023 14:46:14 GMT https://community.checkpoint.com/t5/Firewall-and-Security-Management/Security-Gateway-accepts-HTTP-HTTPS-traffic-by-implied-rule-for/m-p/195434#M67328 PhoneBoy 2023-10-17T14:46:14Z