topic Re: About Global properties in General Topics

About Global properties

Vengatesh_SR — Thu, 27 Dec 2018 11:58:48 GMT

Can you please help us the working of Accept Domain name over UDP (queries) and Accept Domain Name over TCP (Zone transfer) in the global properties.

If we enable what it exactly does.

Regards,

Vengatesh SR

Re: About Global properties

Alisson_Lima — Thu, 27 Dec 2018 12:45:59 GMT

Hi Vengatesh SR‌,

This option will enabled DNS queries on UDP/53 and DNS zone transfer over TCP/53 using a implicit rule. In other words, it not necessary create a rule on rulebase to accept dns traffic if this option is enabled.

Alisson Lima

Re: About Global properties

Vengatesh_SR — Thu, 27 Dec 2018 12:49:56 GMT

yes we can see the implicit rule created if we enable the Accept Domain name over UDP (queries) and Accept Domain Name over TCP (Zone transfer). We have already enabled it in our production device. We need to know if we can disable it now we will get any impact or not.

And also wanted to know what it exactly does if we kept enabled.

Re: About Global properties

PhoneBoy — Thu, 27 Dec 2018 23:02:46 GMT

If you disable these global properties, then DNS lookups and zone transfers through the firewall will be blocked unless it is permitted by a different rule.

If you don't know if these things are happening through the he Security Gateway, then I recommend logging Implied Rules for a time before deciding to disable these properties.

Re: About Global properties

pankajagr83 — Wed, 28 Apr 2021 13:26:56 GMT

What is best practice , shold we enable accept ICMP request in implied rules?

if firewall interface is gateway for vlan and server in that vlan required to ping gateway interface what other solution? should we allow before stealth rule?

Re: About Global properties

PhoneBoy — Mon, 03 May 2021 02:11:11 GMT

Don't believe enabling via implied rules is strictly necessary.
ICMP would need to be allowed prior to your stealth rule, yes.

Re: About Global properties

the_rock — Mon, 03 May 2021 02:22:57 GMT

@Alisson_Lima is 100% correct. In simple words, anything you enable in that section would allow connection on implied rule, so you dont have to create specific policy based rules for it.

From R80 smart console guide, you can also click on help section and read it there as well. Hope that helps.

First - Applied first, before all other rules in the Rule Base - explicit or implied
Last - Applied last, after all other rules in the Rule Base - explicit or implied, but before the Implicit Cleanup Rule
Before Last - Applied before the last explicit rule in the Rule Base

Re: About Global properties

Timothy_Hall — Mon, 03 May 2021 13:38:04 GMT

Dameon brings up a good point here, and this is a topic I cover in the CCSA classes that I teach. The stealth rule should always be one of the first rules in your Network/Firewall policy layer, but what kind of rules need to appear prior to the stealth rule? The main ones are:

Administrative Access Rules - Allowing SSH/HTTPS/4434 from trusted internal hosts/networks to the firewall itself for purposes of management via the Gaia Web interface and clish/expert mode.
Ping/Traceroute - If you want the firewall to answer pings sent directly to one of its interfaces and/or show up as a visible hop in a traceroute, you'll need a rule allowing it. Generally I don't have a problem with the firewall responding to pings/traceroutes sent from an internal reasonably-trusted network, but definitely not for the Internet. Note that including the traceroute service in a rule used to halt SecureXL Accept Templating from that point (i.e. "acceleration disabled from rule #X"), but this limitation was lifted in gateway code version R80.10.
SNMP/NMS Polling - If you have a Network Management Station (NMS) initiating SNMP polls to the firewall, you'll need an explicit rule allowing it. Notice that it is possible to only allow the NMS to perform SNMP reads by utilizing the special service snmp-read, which would be considered best practices unless the NMS is performing SNMP set operations which is not too likely. Netflow and external authentication connections such as RADIUS/TACACS initiated by the firewall itself will be allowed by default (implied rule "Accept outgoing packets from gateway") unless you explicitly block it.
DHCP Server/Relay - If the firewall is performing DHCP Relay or acting as a DHCP server, the rules permitting this traffic must appear prior to the stealth rule.

There are a few other corner-case rules that have to appear prior to the Stealth Rule (VRRP multicast advertisements, legacy Client Authentication, SecureRemote Topology Downloads, etc.) but these are the big ones.

Re: About Global properties

Fincher — Mon, 29 Nov 2021 09:37:28 GMT

Hi! Could you help me please, i need to watch Global Properties in cli, how can i get this?