topic Re: Implied rules and dynamic objects in General Topics

Implied rules and dynamic objects

David_C1 — Tue, 26 Mar 2024 19:33:40 GMT

I've been playing with Implied Rules in my lab. Currently have things set like this:

With this set, these rules appear (among others):

(we have generally stayed away from implied rules - those rules with source "Any" make me uncomfortable).

My specific question - is there a published list of what all these dynamic objects (e.g. FW1 Management, FW1 Module) are? Is there a way to resolve them on the gateway? (dynamic_objects command doesn't seem to help).

Dave

Re: Implied rules and dynamic objects

the_rock — Wed, 27 Mar 2024 00:49:29 GMT

I believe they simply refer to mgmt and fw object(s), but I could be mistaken.

Andy

Re: Implied rules and dynamic objects

David_C1 — Wed, 27 Mar 2024 13:35:52 GMT

Most of these are somewhat self-explanatory, at least to someone who has been working with Check Point for some time. However, if we enable implied rules in production, we will need to provide a vendor provided explanation of what these objects represent, since they will be part of our access policy. Here's a list of the objects in the implied rules based on my config above:

According to Gateway MTA Settings
MTA enabled Gateways
According to Gateway ICAP Settings
ICAP enabled Gateways
Analyzer Server
FW1 Management
FW1 Module
Log Servers
RT-Physical-Servers
Ldap-Servers
Tacacs-Servers
Radius-Servers
UFP-Servers
CVP-Servers
LocalMachine
NG Policy Server
Reporting Server
SmartPortal
Gui-clients

CPMI-clients

In general, I know enabling implied rules is considered best/recommended practice (by Check Point support), but again, rules with a source of "any" does not strike me as best security practice. Feedback welcome.

Dave

Re: Implied rules and dynamic objects

the_rock — Wed, 27 Mar 2024 14:00:47 GMT

I get your point. Honestly, if I were you, I would try get an official TAC answer for this.

Just my 2 cents...

Andy

Re: Implied rules and dynamic objects

David_C1 — Fri, 29 Mar 2024 13:39:19 GMT

Andy,

Good suggestion, and I've opened a case. Surprised there isn't documentation around this, but not the first time I've been surprised by similar lack of documentation.

Dave

Re: Implied rules and dynamic objects

David_C1 — Fri, 29 Mar 2024 17:38:48 GMT

Ticket has been opened and support directed me to sk17745, which provides some information. It's not complete (and honestly doesn't really answer the question I asked) but it's a start. I also found these interesting implied rules that are created when you enable "Accept Control connections"

Why interesting?

Either sk52421 is inaccurate or Check Point is enabling rules for services that have not been supported since the stone age.

Dave

Re: Implied rules and dynamic objects

the_rock — Fri, 29 Mar 2024 18:40:40 GMT

You really got me curious about it now too. I clicked help section when viewing implied rules and link that comes up is this:

Implied Policy - Rules (checkpoint.com)

On that link, you get directed to below:

https://support.checkpoint.com/results/sk/sk119497

Andy