https://community.checkpoint.com/t5/Training-and-Certification/Conflict-on-Exception-Why-is-the-most-liberal-action-taken/m-p/121089#M1747 <P>Thinking about it logically, an exception is generally to give you the option to reduce the level of enforcement for a specific protection, not increase it.<BR />Therefore, to me at least, it would make sense that if there was a conflict for an exception, the least restrictive one would apply.&nbsp;<BR />Not sure that's the official reason, but that's my take.</P> Mon, 14 Jun 2021 04:10:08 GMT PhoneBoy 2021-06-14T04:10:08Z https://community.checkpoint.com/t5/Training-and-Certification/Conflict-on-Exception-Why-is-the-most-liberal-action-taken/m-p/121082#M1746 <P><FONT size="4"><STRONG>Hi there guys,</STRONG></FONT></P><P>I'm currently looking over some material for the CCSA (have been particularly aided by ExamTopics - excellent for practice exam questions and <EM>actually</EM> free, thank God) and have come across a questions regarding conflict resolution within Security Policies.&nbsp;</P><P>&nbsp;</P><P><FONT size="5"><STRONG>Question</STRONG></FONT></P><P><SPAN>"What are the three conflict resolution rules in the Threat Prevention Policy Layers?"</SPAN></P><P><FONT size="5"><STRONG>Answer</STRONG></FONT></P><P>"Conflict on action, conflict on exception, and conflict on settings"</P><P>&nbsp;</P><P><FONT size="5"><STRONG>Description&nbsp;</STRONG></FONT></P><P>After doing a bit of reading up on these conflict resolution rules, I was particularly perplexed by the description for the Conflict on Exception which reads (<SPAN>CCSA R80.10 guide page 407 - I know this is a bit outdated as we're at R81.10 now... maybe this has changed?):</SPAN></P><P><SPAN>"Conflict on exception: The exceptions for a specified scope is different between layers. The action taken will be the most liberal, or least restrictive."</SPAN></P><P>&nbsp;</P><P><FONT size="5"><STRONG>Any Ideas?</STRONG></FONT></P><P><SPAN>Can anyone explain why, if the conflict on action opts for the <EM>most</EM> restrictive option when a conflict occurs, the conflict on exception vouches for the <EM>least</EM> restrictive option? This seems to me like it might dangerously expose the system? Any insight is greatly appreciated.&nbsp;</SPAN></P><P>&nbsp;</P><P><FONT size="5"><FONT size="4">Thanks Check Mates,</FONT>&nbsp;<STRONG><span class="lia-unicode-emoji" title=":clinking_beer_mugs:">🍻</span></STRONG></FONT></P><P><FONT size="4">Vivus</FONT></P> Mon, 14 Jun 2021 00:49:07 GMT https://community.checkpoint.com/t5/Training-and-Certification/Conflict-on-Exception-Why-is-the-most-liberal-action-taken/m-p/121082#M1746 Vivus 2021-06-14T00:49:07Z https://community.checkpoint.com/t5/Training-and-Certification/Conflict-on-Exception-Why-is-the-most-liberal-action-taken/m-p/121089#M1747 <P>Thinking about it logically, an exception is generally to give you the option to reduce the level of enforcement for a specific protection, not increase it.<BR />Therefore, to me at least, it would make sense that if there was a conflict for an exception, the least restrictive one would apply.&nbsp;<BR />Not sure that's the official reason, but that's my take.</P> Mon, 14 Jun 2021 04:10:08 GMT https://community.checkpoint.com/t5/Training-and-Certification/Conflict-on-Exception-Why-is-the-most-liberal-action-taken/m-p/121089#M1747 PhoneBoy 2021-06-14T04:10:08Z https://community.checkpoint.com/t5/Training-and-Certification/Conflict-on-Exception-Why-is-the-most-liberal-action-taken/m-p/121415#M1751 <P>Hi PhoneBoy, thanks for the response. I had considered that, but then thought that if there was a lack of exception in one rule base it would imply that there may be reason to keep 'exceptional individuals' out, which compromises security if the two rule bases are merged and the least restrictive option is held.</P><P>I don't really know, maybe I'm overthinking it, haha.</P> Thu, 17 Jun 2021 03:52:53 GMT https://community.checkpoint.com/t5/Training-and-Certification/Conflict-on-Exception-Why-is-the-most-liberal-action-taken/m-p/121415#M1751 Vivus 2021-06-17T03:52:53Z https://community.checkpoint.com/t5/Training-and-Certification/Conflict-on-Exception-Why-is-the-most-liberal-action-taken/m-p/121458#M1752 <P>As a FYI, the source material is not up to date as that&nbsp;question is no longer on the exam.&nbsp;<span class="lia-unicode-emoji" title=":slightly_smiling_face:">🙂</span></P> <P>Regards,</P> <P>Tug&nbsp;</P> Thu, 17 Jun 2021 12:18:40 GMT https://community.checkpoint.com/t5/Training-and-Certification/Conflict-on-Exception-Why-is-the-most-liberal-action-taken/m-p/121458#M1752 Jason_Tugwell 2021-06-17T12:18:40Z