topic Re: Implied Rule 0 in General Topics

Implied Rule 0

Netadmin2020 — Thu, 25 Mar 2021 10:41:59 GMT

Hello!

Gateway version 80.40 (Model 15600)

Can you please explain why this is passing with this implied rule? I observe similar behavior in a log that someone attack with ssh from outside to inside.

thank you

Re: Implied Rule 0

_Val_ — Thu, 25 Mar 2021 10:46:56 GMT

One of your cluster member is connecting to Akamai based Check Point update servers. Absolutely normal.

Re: Implied Rule 0

Netadmin2020 — Thu, 25 Mar 2021 10:54:43 GMT

look at this too.

Re: Implied Rule 0

G_W_Albrecht — Thu, 25 Mar 2021 10:55:08 GMT

I can see an accepted connection from Internal to External on Sync Interface that was accepted by Network Layer Rule 29. Second, Application layer implied rule is listed - what is wrong with that ?

Re: Implied Rule 0

_Val_ — Thu, 25 Mar 2021 10:56:56 GMT

What exactly you do expect me to see here? Please phrase your question in a way it can be understood.

Re: Implied Rule 0

Netadmin2020 — Thu, 25 Mar 2021 10:58:50 GMT

Sorry. I am allowing ssh anywhere so how it is passed (as you can see in the log)?

Re: Implied Rule 0

Netadmin2020 — Thu, 25 Mar 2021 11:00:05 GMT

On the application layer why is this automatically accepted? where is this rule 0 and how can i change this?

Re: Implied Rule 0

_Val_ — Thu, 25 Mar 2021 11:01:54 GMT

You do not want disallowing FWs to open outgoing connections. Lots of thinks will break.

Re: Implied Rule 0

_Val_ — Thu, 25 Mar 2021 11:05:57 GMT

I can see the rule is matched on Network policy and Application control policy. Apparently you have two layers or more. You allow SSH anywhere, it passes, what is the question? What are you trying to figure our, actually?

Re: Implied Rule 0

Netadmin2020 — Thu, 25 Mar 2021 11:06:59 GMT

I am not allowing ssh, i have 2 ordered layers network and application.

Re: Implied Rule 0

Netadmin2020 — Thu, 25 Mar 2021 11:13:01 GMT

My question here is how ssh passed with the rule implicied clean up at network layer? i have no rule that allows ssh and at the end of my rules i have the block all enabled.

Re: Implied Rule 0

_Val_ — Thu, 25 Mar 2021 11:17:21 GMT

Check your policy once more. There are rules matching. What is looking fishy is that your Implicit Cleanup rule says "Accept".

You must configured Implicit action to be accept for Network, which is super bad. Change it to drop.

Also make sure you read and understand you admin manual and sk112249

Re: Implied Rule 0

_Val_ — Thu, 25 Mar 2021 11:24:04 GMT

Already answered above. You have implied clean rule set to accept. That should not happen. Basically, you are wide open for any traffic which is not matched to your explicit rules.

Re: Implied Rule 0

Netadmin2020 — Thu, 25 Mar 2021 12:09:35 GMT

Where this rule located ? The implicit cleanup rule 0

Re: Implied Rule 0

_Val_ — Thu, 25 Mar 2021 12:20:00 GMT

See the screenshot above. Click on Layer/Advanced

Re: Implied Rule 0

Netadmin2020 — Thu, 25 Mar 2021 12:23:36 GMT

thank you very much, so the scenario everything is denied except allowance rule, in application and network layer the implicit cleanup rule must be at deny.

Right?

Re: Implied Rule 0

_Val_ — Thu, 25 Mar 2021 14:53:07 GMT

Yes. Never ever change implied action on Network layer.

It is okay to have it Allow for Application Control though, because otherwise all non-categorized traffic will be dropped.

Re: Implied Rule 0

Netadmin2020 — Thu, 25 Mar 2021 15:14:25 GMT

My last network rule is any any block all. So you mean that this implied cleanup that we are taking about it accepts before the last rule ?

Re: Implied Rule 0

_Val_ — Thu, 25 Mar 2021 15:26:22 GMT

Block or drop?

Re: Implied Rule 0

Netadmin2020 — Thu, 25 Mar 2021 15:40:39 GMT

drop all