https://community.checkpoint.com/t5/General-Topics/Force-one-way-inspection/m-p/245537#M40985 <P>For UDP it's easy, you can turn off 'accept replies for unknown UDP' and make sure 'accept replies' is not enabled on the custom UDP service object.&nbsp;</P> <P>Normal inbound connections are already blocked simply by not putting a rule in to allow them.</P> <P>Using an open outbound HTTPS connection to prevent data transfer inbound I don't know that we can, we have to accept reply packets for the session to establish else you won't get anything. In order to be able understand the nature of the HTTPS stream once the session is up, we'd have to decrypt it so that we can see what's going on in there, which may already break things due to cert stuff etc. At a basic layer 3/4 level I don't know that anything could accomplish what you're asking for.</P> <P>We need to better understand the connections that are established and in what direction to be able to properly determine the course of action here.</P> Thu, 03 Apr 2025 02:10:59 GMT emmap 2025-04-03T02:10:59Z https://community.checkpoint.com/t5/General-Topics/Force-one-way-inspection/m-p/245527#M40980 <P>Experts,</P><P>Is it possible to force a security gateway to behave like a Cisco ASA firewall for a limited use case and only allow traffic one way? For example,&nbsp;<SPAN>opening up https and another non-standard port outbound from a DMZ at one location and this system talks outbound to a cloud service for monitoring. There are capabilities of the system to connect inbound from the cloud service but we only want the system in the DMZ to connect outbound to transfer data. No inbound even if it's a reverse tunnel from an existing https outbound connection.</SPAN></P> Wed, 02 Apr 2025 21:32:06 GMT https://community.checkpoint.com/t5/General-Topics/Force-one-way-inspection/m-p/245527#M40980 CPArk 2025-04-02T21:32:06Z https://community.checkpoint.com/t5/General-Topics/Force-one-way-inspection/m-p/245530#M40982 <P>Let me take a "crack" at this, though there are way smarter people on here than myself, so Im sure they will give you correct answer.</P> <P>Some ways I can think of doing what you asked:</P> <P>-define rules to allow ONLY outbound connections, you can use zones in the policy for this and create rules to block inbound connections</P> <P>-define anti spoofing for specific interface just to reflect that specific network</P> <P>-stateless inspection, ie disable statefull inspection (not 100% sure though if that is a must here)</P> <P>-policy based routing</P> <P>-NAT (for example define static nat only where required)</P> <P>Hope that helps.</P> <P>Best,</P> <P>Andy</P> Wed, 02 Apr 2025 22:29:22 GMT https://community.checkpoint.com/t5/General-Topics/Force-one-way-inspection/m-p/245530#M40982 the_rock 2025-04-02T22:29:22Z https://community.checkpoint.com/t5/General-Topics/Force-one-way-inspection/m-p/245537#M40985 <P>For UDP it's easy, you can turn off 'accept replies for unknown UDP' and make sure 'accept replies' is not enabled on the custom UDP service object.&nbsp;</P> <P>Normal inbound connections are already blocked simply by not putting a rule in to allow them.</P> <P>Using an open outbound HTTPS connection to prevent data transfer inbound I don't know that we can, we have to accept reply packets for the session to establish else you won't get anything. In order to be able understand the nature of the HTTPS stream once the session is up, we'd have to decrypt it so that we can see what's going on in there, which may already break things due to cert stuff etc. At a basic layer 3/4 level I don't know that anything could accomplish what you're asking for.</P> <P>We need to better understand the connections that are established and in what direction to be able to properly determine the course of action here.</P> Thu, 03 Apr 2025 02:10:59 GMT https://community.checkpoint.com/t5/General-Topics/Force-one-way-inspection/m-p/245537#M40985 emmap 2025-04-03T02:10:59Z