https://community.checkpoint.com/t5/General-Topics/CPEarlyDrop-Mechanism/m-p/170000#M28262 <P>Hello,</P><P>I understand that this mechanism "appears" when you have many "similar" rules, right?</P><P>Something like if you have 4 rules, that all work with "Source" and "Destination" as "any", "any", and you just "customize" the services, changing the actions, between "Allow" and "deny".</P><P>If you decide to put a 5th rule in the list that has almost the same criteria as the first 4, I understand that the "mechanism" of CPEarlyDrop appears, is this correct?</P><P>My question is, when this type of mechanism appears, at the moment of creating an explicit rule, what is the best solution method, to make the traffic match with the rule that I just created, and not with the CPEarlyDrop?</P><P>Thanks for your comments.</P><P>Thanks for your comments.</P> Wed, 01 Feb 2023 23:34:53 GMT Matlu 2023-02-01T23:34:53Z https://community.checkpoint.com/t5/General-Topics/CPEarlyDrop-Mechanism/m-p/169977#M28258 <P>Hello, team.</P><P>Could someone enlighten me with the following question.</P><P>How does the "mechanism" of "CPEarlyDrop" work?</P><P>Sometimes it is really annoying, as I understand a little bit the SK, although not 100%.</P><P>I would like to know, what is the best way to avoid "running into" this mechanism, when creating a security rule, to allow or deny an access to certain origin(s) of your network.</P><P>I share with you an image of a log of my client's environment, where having created an explicit rule to allow the connection from an origin to a destination, the traffic does not MATCH with this rule, but it does MATCH with the CPEarlyDrop.</P><P>&nbsp;</P><P><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="CPEarly.jpg" style="width: 932px;"><img src="https://community.checkpoint.com/t5/image/serverpage/image-id/19387iEAAA7CD4B593E9E5/image-size/large?v=v2&amp;px=999" role="button" title="CPEarly.jpg" alt="CPEarly.jpg" /></span></P><P>I will be attentive to your kind comments.</P><P>Regards.</P> Wed, 01 Feb 2023 18:48:26 GMT https://community.checkpoint.com/t5/General-Topics/CPEarlyDrop-Mechanism/m-p/169977#M28258 Matlu 2023-02-01T18:48:26Z https://community.checkpoint.com/t5/General-Topics/CPEarlyDrop-Mechanism/m-p/169996#M28261 <P>The mechanism is described here:<BR /><A class="cp_link sc_ellipsis" style="max-width: 840px;" href="https://supportcenter.checkpoint.com/supportcenter/portal?eventSubmit_doGoviewsolutiondetails=&amp;solutionid=sk111643&amp;partition=Advanced&amp;product=Quantum" target="_blank" rel="noopener">sk111643: Early drop of a connection before the final rule match</A><BR /><BR />It is well explained in the SK video.<BR /><BR />If that is not enough, please describe your question in more detail.<BR /><BR /></P> Wed, 01 Feb 2023 22:37:38 GMT https://community.checkpoint.com/t5/General-Topics/CPEarlyDrop-Mechanism/m-p/169996#M28261 HeikoAnkenbrand 2023-02-01T22:37:38Z https://community.checkpoint.com/t5/General-Topics/CPEarlyDrop-Mechanism/m-p/170000#M28262 <P>Hello,</P><P>I understand that this mechanism "appears" when you have many "similar" rules, right?</P><P>Something like if you have 4 rules, that all work with "Source" and "Destination" as "any", "any", and you just "customize" the services, changing the actions, between "Allow" and "deny".</P><P>If you decide to put a 5th rule in the list that has almost the same criteria as the first 4, I understand that the "mechanism" of CPEarlyDrop appears, is this correct?</P><P>My question is, when this type of mechanism appears, at the moment of creating an explicit rule, what is the best solution method, to make the traffic match with the rule that I just created, and not with the CPEarlyDrop?</P><P>Thanks for your comments.</P><P>Thanks for your comments.</P> Wed, 01 Feb 2023 23:34:53 GMT https://community.checkpoint.com/t5/General-Topics/CPEarlyDrop-Mechanism/m-p/170000#M28262 Matlu 2023-02-01T23:34:53Z https://community.checkpoint.com/t5/General-Topics/CPEarlyDrop-Mechanism/m-p/170005#M28264 <P>CPEarlyDrop kicks primarily when multiple rules kick in with similar source/destination, Services that aren't just simple TCP/UDP services, and the action is Drop.<BR />The "services that aren't simple TCP/UDP services" are key because they require packets beyond the first SYN to make a rulebase match and is when CPEarlyDrop kicks in.<BR />Rules that involve only simple TCP/UDP services with the action Accept won't be subject to CPEarlyDrop since they can be resolved on the first packet.</P> <P>To clean up the problem, you should probably disable (temporarily) the mechanism as described in the SK and see what rules the traffic matches.<BR />The offending rule(s) should be logged and you can adjust them accordingly.&nbsp;</P> Thu, 02 Feb 2023 00:13:39 GMT https://community.checkpoint.com/t5/General-Topics/CPEarlyDrop-Mechanism/m-p/170005#M28264 PhoneBoy 2023-02-02T00:13:39Z https://community.checkpoint.com/t5/General-Topics/CPEarlyDrop-Mechanism/m-p/170006#M28265 <P>Hello,</P><P>&nbsp;</P><P>One doubt, when you talk about "Simple TCP/UDP services", you are referring to "known ports", for example the 179 which is, as far as I remember the port for BGP, or for example the port for RDP 3389.</P><P>Is it these services you are referring to, in your comment?</P><P>&nbsp;</P><P>Is it a viable option to take the rule I created, and put it at the beginning of the rule base, just to "test" the traffic?</P><P>&nbsp;</P><P>This way I avoid disabling perhaps the CPEarlyDrop mechanism.</P><P>&nbsp;</P><P>Greetings.</P> Thu, 02 Feb 2023 00:29:13 GMT https://community.checkpoint.com/t5/General-Topics/CPEarlyDrop-Mechanism/m-p/170006#M28265 Matlu 2023-02-02T00:29:13Z https://community.checkpoint.com/t5/General-Topics/CPEarlyDrop-Mechanism/m-p/170013#M28270 <P>You are correct on both accounts.</P> Thu, 02 Feb 2023 01:46:48 GMT https://community.checkpoint.com/t5/General-Topics/CPEarlyDrop-Mechanism/m-p/170013#M28270 PhoneBoy 2023-02-02T01:46:48Z