topic Re: CPHE - Firewall Blade Blocking Traffic - BlockAllTmpLog Rule in Endpoint

CPHE - Firewall Blade Blocking Traffic - BlockAllTmpLog Rule

rmsource_dotcom — Thu, 03 Feb 2022 23:43:03 GMT

We are seeing many firewall drops in the CP Harmony Endpoint logs stating that it is due to the "BlockAllTmpLog" Access Rule. We have one inbound rule that says any any allow, and one outbound rule that says any any allow.

My question is where do I find documentation or understand what the BlockAllTmpLog Access Rule is?

Below is a sample log

cp_severity=Low
loguid={0x61fc5ed3,0x0,0x80164a4,0xc091799}
sequencenum=16777215
version=1
client_version=84.70.0990
dst_dns_name=**************
ep_rule_id=0
event_type=Firewall
host_type=MacBookAir8,2
installed_products=Firewall Anti-Malware VPN Forensics Threat Emulation
local_time=1643967085
machine_guid=
os_name=macOS
os_version=11.6.1
policy_date=1643929240
policy_guid={F71F2C17-E66B-495B-87ED-2B155CC10CE7}
policy_name=Default Firewall settings for the entire organization
policy_type=10
product=Firewall
program_name=CPFWD
rule_name=BlockAllTmpLog
src_dns_name=**************
user_name=bill.samuelson@microsoft.com
user_sid=S-1-5-21-2229093338-1663155082-2634640864-65716

~Keith Smith

Re: CPHE - Firewall Blade Blocking Traffic - BlockAllTmpLog Rule

the_rock — Fri, 04 Feb 2022 03:01:01 GMT

Hey Keith,

Im not an expert in harmony endpoint (more firewall guy), but one thing caught my eye when reviewing the log you pasted. Just curious, the line that gives the policy name says Default Firewall settings for the entire organization...to me, logically, that would equate to default implicit rule on regular firewall that would say any any block. Is there any way you can confirm rule(s) in that policy?

Again, apologies if it sounds like a dumb question, but just going based on my own logic here : - )

Andy

Re: CPHE - Firewall Blade Blocking Traffic - BlockAllTmpLog Rule

Chris_Atkinson — Mon, 07 Mar 2022 15:49:41 GMT

Does the issue persists for you on the latest release E86.20?

Re: CPHE - Firewall Blade Blocking Traffic - BlockAllTmpLog Rule

rmsource_dotcom — Mon, 07 Mar 2022 16:10:10 GMT

That's a good question. We only have a few clients on 86.20 and do not see those clients with drops from BlockAllTmpLog.

For everyone so you know what it is, it is in position 0 and is an implied rule created by Check Point. There is no documentation on it internally/externally from CP as of a couple weeks ago. You cannot change or view the settings of this rule.

Re: CPHE - Firewall Blade Blocking Traffic - BlockAllTmpLog Rule

jgarcias — Fri, 01 Apr 2022 10:40:01 GMT

Did you find the solution? I'm also having some macbooks with network problems in E84.70 matching in "BlockAllTmpLog" rule...