https://community.checkpoint.com/t5/Spark-Firewall-SMB/SMB-Access-Policy-Control-and-internet-access/m-p/180047#M8869 <P>Using "Strict" is not really recommended out of my experience - i would suggest "Standard" with TP is secure enough <span class="lia-unicode-emoji" title=":winking_face:">😉</span> You have to allow every detail in many seperate rules in strict mode, and that needs much knowledge...</P> Fri, 05 May 2023 09:58:24 GMT G_W_Albrecht 2023-05-05T09:58:24Z https://community.checkpoint.com/t5/Spark-Firewall-SMB/SMB-Access-Policy-Control-and-internet-access/m-p/180003#M8862 <P>I'm stuck why this doesn't work, but basically I'm trying to allow devices connected to the LAN network of my SMB device access to the internet over certain ports.</P> <P>Background: Locally managed 1430 appliance running R77.20.87</P> <P>Access Policy (Firewall) is set to strict.</P> <P><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="1430a.jpg" style="width: 497px;"><img src="https://community.checkpoint.com/t5/image/serverpage/image-id/20783iA1214695BFD200C4/image-dimensions/497x153?v=v2" width="497" height="153" role="button" title="1430a.jpg" alt="1430a.jpg" /></span></P> <P>I've created a manual rule in the policy to allow internet access (top rule under Outgoing access to the Internet):</P> <P><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="1430b.jpg" style="width: 781px;"><img src="https://community.checkpoint.com/t5/image/serverpage/image-id/20784i87741C17504F3985/image-dimensions/781x316?v=v2" width="781" height="316" role="button" title="1430b.jpg" alt="1430b.jpg" /></span></P> <P>The service group "CFU_Internet" contains http, https, and ICMP.&nbsp;</P> <P>What I'm seeing is traffic from the LAN network (172.x.x.x) to the internet is getting dropped on the last rule in the policy (rule 5 under Incoming, Internal, and VPN traffic):</P> <P><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="2023-05-04_13-55-421430c.jpg" style="width: 591px;"><img src="https://community.checkpoint.com/t5/image/serverpage/image-id/20785i845829E26BB39E4B/image-dimensions/591x378?v=v2" width="591" height="378" role="button" title="2023-05-04_13-55-421430c.jpg" alt="2023-05-04_13-55-421430c.jpg" /></span></P> <P>What am I missing? Why isn't this traffic allowed by the first manual rule I created?</P> <P>Dave</P> Thu, 04 May 2023 19:19:38 GMT https://community.checkpoint.com/t5/Spark-Firewall-SMB/SMB-Access-Policy-Control-and-internet-access/m-p/180003#M8862 David_C1 2023-05-04T19:19:38Z https://community.checkpoint.com/t5/Spark-Firewall-SMB/SMB-Access-Policy-Control-and-internet-access/m-p/180019#M8863 <P>Is your internet connection connected to a "WAN" port and what build of R77.20.87 firmware is used?</P> Thu, 04 May 2023 23:50:26 GMT https://community.checkpoint.com/t5/Spark-Firewall-SMB/SMB-Access-Policy-Control-and-internet-access/m-p/180019#M8863 Chris_Atkinson 2023-05-04T23:50:26Z https://community.checkpoint.com/t5/Spark-Firewall-SMB/SMB-Access-Policy-Control-and-internet-access/m-p/180022#M8864 <P>Does 1st rule even have any hits? I noticed in the dropped log, shows inzone Internal and outzone as DMZ.</P> Fri, 05 May 2023 00:21:50 GMT https://community.checkpoint.com/t5/Spark-Firewall-SMB/SMB-Access-Policy-Control-and-internet-access/m-p/180022#M8864 the_rock 2023-05-05T00:21:50Z https://community.checkpoint.com/t5/Spark-Firewall-SMB/SMB-Access-Policy-Control-and-internet-access/m-p/180047#M8869 <P>Using "Strict" is not really recommended out of my experience - i would suggest "Standard" with TP is secure enough <span class="lia-unicode-emoji" title=":winking_face:">😉</span> You have to allow every detail in many seperate rules in strict mode, and that needs much knowledge...</P> Fri, 05 May 2023 09:58:24 GMT https://community.checkpoint.com/t5/Spark-Firewall-SMB/SMB-Access-Policy-Control-and-internet-access/m-p/180047#M8869 G_W_Albrecht 2023-05-05T09:58:24Z https://community.checkpoint.com/t5/Spark-Firewall-SMB/SMB-Access-Policy-Control-and-internet-access/m-p/180052#M8871 <P>Inspiration struck in the middle of the night. The reason this is not working is that I do not have an internet connection defined/configured. Traffic from the LAN networks bound for the internet goes out the DMZ interface which is connected to an MPLS network, which eventually comes back to our datacenter and out our internet egress point there. I had to get a bit creative with the routing (solution found in another CheckMates post) but everything is working now as I need it.</P> <P>Thanks for everyone's suggestions,</P> <P>Dave</P> Fri, 05 May 2023 13:03:14 GMT https://community.checkpoint.com/t5/Spark-Firewall-SMB/SMB-Access-Policy-Control-and-internet-access/m-p/180052#M8871 David_C1 2023-05-05T13:03:14Z https://community.checkpoint.com/t5/Spark-Firewall-SMB/SMB-Access-Policy-Control-and-internet-access/m-p/180054#M8872 <P>Excellent work&nbsp;<a href="https://community.checkpoint.com/t5/user/viewprofilepage/user-id/10229">@David_C1</a>&nbsp;<span class="lia-unicode-emoji" title=":thumbs_up:">👍</span></P> Fri, 05 May 2023 12:27:01 GMT https://community.checkpoint.com/t5/Spark-Firewall-SMB/SMB-Access-Policy-Control-and-internet-access/m-p/180054#M8872 the_rock 2023-05-05T12:27:01Z