topic Re: Traffic does not match with explicit rule in General Topics

Traffic does not match with explicit rule

Matlu — Wed, 19 Jul 2023 16:59:37 GMT

Hello, Team

I have the following scenario, which I would like to clarify my doubt.

I have a Cluster R81.10

We have a publication of a service, so that from the Internet (From certain public IPs, can access our service pointing to a TCP port 1122)

The problem I see is that the traffic is not doing MATCH with the first explicit rule that I have, which has the #585, but is doing MATCH with a rule that is below with #594, and I do not understand the "why", because the first rule has a "custom" group where we are explicitly declaring the IP that we want to connect to our server, but for some reason, the traffic "ignores" the first rule, and goes to the rule that is below.

Is this a normal behavior? Is it something that can be corrected?

The purpose is that the traffic makes MATCH with the 585.

I hope you can support me with your point of view.

Greetings.

Re: Traffic does not match with explicit rule

the_rock — Wed, 19 Jul 2023 17:24:35 GMT

The reason I see is that one has source any.

Re: Traffic does not match with explicit rule

Matlu — Wed, 19 Jul 2023 17:34:10 GMT

Buddy,

But rule #585, is much more explicit than rule #594, other than that, it is more "up" in the rulebase.

I don't see the logic in it. 😕

Re: Traffic does not match with explicit rule

the_rock — Wed, 19 Jul 2023 17:48:45 GMT

K, so whats the source IP you are coming from and is it included in that group in rule 585?

Andy

Re: Traffic does not match with explicit rule

Matlu — Wed, 19 Jul 2023 17:55:29 GMT

Rule #585, has as its origin a general group.
The group is called GRP_SFTP_200.48.202.52.

Within this group, there are several additional "subgroups", 1 of them is the group GRP_RE, in which there are several public IPs to which we are allowing access to our public one.

So, I do not understand why the traffic "ignores" this rule, and goes to the rule that has as origin an ANY.

Re: Traffic does not match with explicit rule

the_rock — Wed, 19 Jul 2023 17:58:03 GMT

Maybe try disable,re-enable rule,push policy and test. Otherwise, try below example

https://sc1.checkpoint.com/documents/R81/WebAdminGuides/EN/CP_R81_CLI_ReferenceGuide/Topics-CLIG/FWG/fw-up_execute.htm

Andy

Re: Traffic does not match with explicit rule

Matlu — Wed, 19 Jul 2023 18:00:41 GMT

That's like a Cisco Packet-Tracert, isn't it?

To validate the rule for certain traffic?

Re: Traffic does not match with explicit rule

the_rock — Wed, 19 Jul 2023 18:05:55 GMT

Sort of...

Re: Traffic does not match with explicit rule

Matlu — Wed, 19 Jul 2023 18:11:11 GMT

I got almost the same result as what can be seen by the SmartConsole.

As I interpret it, it first "matches" rule #585.

Re: Traffic does not match with explicit rule

the_rock — Wed, 19 Jul 2023 18:45:14 GMT

Thats what it shows, right...BUT, as I said, if it fails, I would try what I found to be easy fix in the past. Disable rule 585, push policy, re-enable, push policy. If that fails, disable rule 594, push policy and test. Does traffic get dropped?

Andy

Re: Traffic does not match with explicit rule

Matlu — Thu, 20 Jul 2023 00:12:13 GMT

We have not observed "traffic down", but for auditing purposes, the traffic should match the rule that has been defined for it (Rule #585).

Re: Traffic does not match with explicit rule

the_rock — Thu, 20 Jul 2023 00:24:26 GMT

I agree bro, you are 100% right. I cant see why its not catching that rule, UNLESS there is some sort of nat or something causing it. If not, then I would get in touch with TAC to solve it via remote session. Before that, try my suggestion and see what happens.

Re: Traffic does not match with explicit rule

PhoneBoy — Thu, 20 Jul 2023 12:30:32 GMT

This is probably going to require the TAC to investigate.
https://help.checkpoint.com