topic Re: How to allow access to a web traffic ressource? in Spark Firewall (SMB)

How to allow access to a web traffic ressource?

FXB — Wed, 21 Dec 2022 09:22:31 GMT

Dear community,

we are currently facing the challenge, that one of our employees is having a software installed which need to connect via MySQL (TCP 3306) to an external internet ressource.

Unfortunately that internet ressource has an ever-changing external IP so allowing the traffic with a static src/dest/port rule is not an option.

Looking at the log we see that our checkpoint gateway recognized the web traffic ressouce (test.domain.com in this example) to which the software is trying to connect via MySQL (see attachment).

Is there a way to allow the access based on this web ressource?

The gateway is running R80.20.40, domain objects did not work (probably since its not a http(s) traffic but SQL).

Any hint is appreciated!

Regards,

Franz

Re: How to allow access to a web traffic ressource?

G_W_Albrecht — Wed, 21 Dec 2022 09:31:45 GMT

This is Embedded GAiA - why not allow all connections from employees local IP / Access Role using TCP 3306 to Internet ?

Re: How to allow access to a web traffic ressource?

FXB — Wed, 21 Dec 2022 09:42:18 GMT

Hi,

thanks for your response.

Allowing all tcp_3306 traffic from the client to the internet would be the fall-back solution. We would like to have an as-tight-as- possible ruleset in regards to internet connections, so if there would be a way to use the web ressouce for the allow-rule that would be the prefered way.

Our mindset was that if checkpoint is detecting this ressouce, surely there could be some way to use this information for the ruleset?

You are correct in assuming its embedded-gaia, if this is the wrong section of the forum, please move the topic to the correct one if possible 🙂

Re: How to allow access to a web traffic ressource?

PhoneBoy — Wed, 21 Dec 2022 13:20:40 GMT

I’ve moved it.

You mentioned you’re using an SMB device but the log card suggests it’s being managed by a Smart-1..correct?
The correct way to do this is with a Domain Object with the FQDN checkbox tagged in the relevant access policy rule, which will use DNS to determine what the IP will be.
Even if the device is locally managed, you can create a similar domain object for the policy.

Re: How to allow access to a web traffic ressource?

the_rock — Thu, 22 Dec 2022 03:59:28 GMT

I agree with advice @PhoneBoy gave you. Domain object is way to go here.

Re: How to allow access to a web traffic ressource?

FXB — Thu, 22 Dec 2022 07:30:19 GMT

Thanks for your replies.

Yes, the device is beeing managed by a central security management server (even tho its not a smart-1 but openserver based, makes no difference here). We actually tried making it work with domain objects like "domain.com" with FQDN set, had no success with it however. Since the external IP address in the destination field of the log is beeing resolved to sth different than what is displayed in the web traffic ressouce field , I assume we need to create a domain object which relates to the destination IP, rather than the ressouce shown.

We gonna try it out and give feedback here.