https://community.checkpoint.com/t5/General-Topics/Mobile-Access-Web-Portal-Access-Matching-Rule-Issue/m-p/105942#M20296 <P>Off the top of my head:</P> <UL> <LI>Gaia Platform Portal (OS configuration)</LI> <LI>Mobile Access Blade</LI> <LI>Captive Portal (for Identity Awareness)</LI> <LI>UserCheck&nbsp;</LI> <LI>Visitor Mode for Remote Access</LI> </UL> <P>There may be a few others.<BR />However, disabling/changing all those may not disable multiportal and the relevant implied rules.</P> Sun, 20 Dec 2020 03:12:03 GMT PhoneBoy 2020-12-20T03:12:03Z https://community.checkpoint.com/t5/General-Topics/Mobile-Access-Web-Portal-Access-Matching-Rule-Issue/m-p/105701#M20258 <P>Hi All,</P><P>&nbsp;</P><P>I have been experiencing below issue related to Mobile Access Portal.</P><P>My requirement is to just block specific Public IPs from accessing Mobile Access Portal. What I've done is, I change Mobile Access-&gt;Portal Settings-&gt;According to the firewall policy to enabled and placed an explicit security rule to block required source IPs and then below that placed an explicit security rule to allow any source IP to Mobile Access Portal.</P><P>My Observation:</P><P>My Mobile Access Portal got blocked as expected to the required blocked IP addresses. But issue is when I checked smart log it showed me that blocked requests are also matched with an implied rule and the action is accept instead of my explicit block rule. But other public IPs matched with my explicit allow rule where as I expected.</P><P>&nbsp;</P><P>So my SIEM tool alerting us Blocked IPs are gaining access without getting blocked based on implied rule log.</P><P>&nbsp;</P> Thu, 17 Dec 2020 03:19:57 GMT https://community.checkpoint.com/t5/General-Topics/Mobile-Access-Web-Portal-Access-Matching-Rule-Issue/m-p/105701#M20258 zeromahesh 2020-12-17T03:19:57Z https://community.checkpoint.com/t5/General-Topics/Mobile-Access-Web-Portal-Access-Matching-Rule-Issue/m-p/105909#M20288 <P>Are you actually seeing two logs (one for the implied rule accepting and one for the block rule)?</P> Sat, 19 Dec 2020 03:53:02 GMT https://community.checkpoint.com/t5/General-Topics/Mobile-Access-Web-Portal-Access-Matching-Rule-Issue/m-p/105909#M20288 PhoneBoy 2020-12-19T03:53:02Z https://community.checkpoint.com/t5/General-Topics/Mobile-Access-Web-Portal-Access-Matching-Rule-Issue/m-p/105910#M20289 <P>What I see is when I access Mobile Access Portal using non blocked IP it matches to the explicit rule which allow access to mobile portal. When I access using blocked IP using explicit block rule matches to implicit rule and action shows as accept. But portal getting denied with SSL error. Some logs shows as denied by multiportal infrastructure.</P><P>&nbsp;</P> Sat, 19 Dec 2020 03:58:52 GMT https://community.checkpoint.com/t5/General-Topics/Mobile-Access-Web-Portal-Access-Matching-Rule-Issue/m-p/105910#M20289 zeromahesh 2020-12-19T03:58:52Z https://community.checkpoint.com/t5/General-Topics/Mobile-Access-Web-Portal-Access-Matching-Rule-Issue/m-p/105933#M20292 <P>Multiportal allows multiple portals to share the same port (e.g. Gaia WebUI, MAB, UserCheck).<BR />However, access (i.e. the initial TCP handshake) is generally permitted by implied rules, which is needed to determine which portal to activate.<BR />If you don’t want multiportal to respond at all, then you have to disable multiportal functionality per:&nbsp;<A href="https://supportcenter.checkpoint.com/supportcenter/portal?action=portlets.SearchResultMainAction&amp;eventSubmit_doGoviewsolutiondetails=&amp;solutionid=sk165937" target="_blank">https://supportcenter.checkpoint.com/supportcenter/portal?action=portlets.SearchResultMainAction&amp;eventSubmit_doGoviewsolutiondetails=&amp;solutionid=sk165937</A><BR />However, this means you will need to manually configure ALL the relevant portals to use a unique port.</P> Sat, 19 Dec 2020 19:12:09 GMT https://community.checkpoint.com/t5/General-Topics/Mobile-Access-Web-Portal-Access-Matching-Rule-Issue/m-p/105933#M20292 PhoneBoy 2020-12-19T19:12:09Z https://community.checkpoint.com/t5/General-Topics/Mobile-Access-Web-Portal-Access-Matching-Rule-Issue/m-p/105936#M20293 <P>Hi,</P><P>Currently I’ve already set Gia portal (Platform) Accessibility settings to “Internal Interface only”. Mobile Access Portal Accessibility option to “ According to firewall policy”. So what are the other portals published through all the interfaces by default and how to change port or interface.</P> Sat, 19 Dec 2020 20:48:40 GMT https://community.checkpoint.com/t5/General-Topics/Mobile-Access-Web-Portal-Access-Matching-Rule-Issue/m-p/105936#M20293 zeromahesh 2020-12-19T20:48:40Z https://community.checkpoint.com/t5/General-Topics/Mobile-Access-Web-Portal-Access-Matching-Rule-Issue/m-p/105942#M20296 <P>Off the top of my head:</P> <UL> <LI>Gaia Platform Portal (OS configuration)</LI> <LI>Mobile Access Blade</LI> <LI>Captive Portal (for Identity Awareness)</LI> <LI>UserCheck&nbsp;</LI> <LI>Visitor Mode for Remote Access</LI> </UL> <P>There may be a few others.<BR />However, disabling/changing all those may not disable multiportal and the relevant implied rules.</P> Sun, 20 Dec 2020 03:12:03 GMT https://community.checkpoint.com/t5/General-Topics/Mobile-Access-Web-Portal-Access-Matching-Rule-Issue/m-p/105942#M20296 PhoneBoy 2020-12-20T03:12:03Z https://community.checkpoint.com/t5/General-Topics/Mobile-Access-Web-Portal-Access-Matching-Rule-Issue/m-p/105943#M20297 <P>Hi,</P><P>Major issue that I'm facing is, when Implied rule matches for the connections from explicit rule blocked IPs even though portal is not loaded implied rule log says connection accepted. This incident is alerted by the SIEM tool. How to overcome this issue.</P> Sun, 20 Dec 2020 06:18:04 GMT https://community.checkpoint.com/t5/General-Topics/Mobile-Access-Web-Portal-Access-Matching-Rule-Issue/m-p/105943#M20297 zeromahesh 2020-12-20T06:18:04Z https://community.checkpoint.com/t5/General-Topics/Mobile-Access-Web-Portal-Access-Matching-Rule-Issue/m-p/105946#M20299 <P>Seems like you should tune this in the SIEM.<BR />However, if I’m understanding the macro in sk165937 correctly, where it shows you what section to comment out to entirely disable this behavior, you may be able to simply remove the following from the definition:</P> <PRE>IMPLIED_LOG,&nbsp;&nbsp;</PRE> <P>This will cause the gateway to still accept the connection as it’s doing now but not generate a log message.<BR />Don’t necessarily recommend this approach, tuning the SIEM would be better.</P> Sun, 20 Dec 2020 06:33:17 GMT https://community.checkpoint.com/t5/General-Topics/Mobile-Access-Web-Portal-Access-Matching-Rule-Issue/m-p/105946#M20299 PhoneBoy 2020-12-20T06:33:17Z https://community.checkpoint.com/t5/General-Topics/Mobile-Access-Web-Portal-Access-Matching-Rule-Issue/m-p/105947#M20300 <P>Hi,</P><P>Thank you for your suggestion. Please let me know what will happen if I enable separate portals in separate IPs in same interface. Will that solved the issue the way that I'm expecting...?</P> Sun, 20 Dec 2020 06:40:12 GMT https://community.checkpoint.com/t5/General-Topics/Mobile-Access-Web-Portal-Access-Matching-Rule-Issue/m-p/105947#M20300 zeromahesh 2020-12-20T06:40:12Z https://community.checkpoint.com/t5/General-Topics/Mobile-Access-Web-Portal-Access-Matching-Rule-Issue/m-p/105988#M20304 <P>The issue is coming from Multiportal itself, not the other portals in use.<BR />Most of the portals can be moved to a different port on the same IP if you prefer, but that doesn’t disable multiportal.</P> Sun, 20 Dec 2020 17:57:11 GMT https://community.checkpoint.com/t5/General-Topics/Mobile-Access-Web-Portal-Access-Matching-Rule-Issue/m-p/105988#M20304 PhoneBoy 2020-12-20T17:57:11Z