Create a Post
cancel
Showing results for 
Search instead for 
Did you mean: 
Nikunj
Contributor

Policy rule creation using MAC address

To create a rule, we need to pass hostname for source and destination fields, and for the service name, we need to pass service name (e.g. SSH_VERSION_2). is there any way to pass MAC address instead of hostname and port number in hostname/service name fields?

Payload to create rule using REST API :
{
    "layer" : "test_network_layer",
    "position" : "top",
    "name" : "test_Rule_1",
    "action": "Drop",
    "destination":"new_host_3",
    "service" : [ "SSH_VERSION_2" ]
}

I want 

{
    "layer" : "test_network_layer",
    "position" : "top",
    "name" : "test_Rule_1",
    "action": "Drop",
    "destination":"00:fe:ae:be:44:fe",
    "service" : [ 80, 443 ]
}.

Also is there any way to add a MAC address in the host object?


0 Kudos
17 Replies
PhoneBoy
Admin
Admin

We do not support MAC-based Access Policy rules.
You might be able to prevent a different MAC address from connecting by establishing a static ARP/IP mapping in the Gaia OS.
Or you might want to leverage Identity Awareness in this situation. 

Nikunj
Contributor

Thank you @PhoneBoy Also want to know is it possible to use the port in service instead of the service name while creating the rule?

0 Kudos
PhoneBoy
Admin
Admin

No, you must use the service name for the relevant port.
You will have to create the service first if it does not exist.

Nikunj
Contributor

How to get service name using port number via REST API. I tried /show-objects with filter option but it returning multiple values.
e.g. 
{
"type" : "object",
 "in": ["port","68"]
}

Is there any way to get the exact service name with respect to port? for e.g. (for port 68, I want dhcp-rep-localmodule service name)

0 Kudos
PhoneBoy
Admin
Admin

That does appear to be the case:

[Expert@mgmt:0]# mgmt_cli -r true --format json show objects type "service-udp" filter "68"
{
  "from" : 1,
  "to" : 2,
  "total" : 2,
  "objects" : [ {
    "uid" : "fca646b5-ef34-4df1-895d-7639e181501a",
    "name" : "dhcp-rep-localmodule",
    "type" : "service-udp",
    "domain" : {
      "uid" : "a0bbbc99-adef-4ef8-bb6d-defdefdefdef",
      "name" : "Check Point Data",
      "domain-type" : "data domain"
    },
    "port" : "68",
    "icon" : "Services/UDPService",
    "color" : "black"
  }, {
    "uid" : "22725520-8e10-4a91-98ac-dcd1f6c4a4dd",
    "name" : "dhcp-req-localmodule",
    "type" : "service-udp",
    "domain" : {
      "uid" : "a0bbbc99-adef-4ef8-bb6d-defdefdefdef",
      "name" : "Check Point Data",
      "domain-type" : "data domain"
    },
    "port" : "67",
    "icon" : "Services/UDPService",
    "color" : "black"
  } ]
}

 @Omer_Kleinstern is this expected behavior?
I did this in R81.10, but I assume this also happens in earlier versions.

Meanwhile, the result you're looking for is actually returned as part of the results, you just have to parse the output to find it.

0 Kudos
PhoneBoy
Admin
Admin

Note that it gets a little more complicated for, say, TCP port 443.
Several (legitimate) results are returned as multiple services are defined with this port:

  • https (just regular TCP 443)
  • ssl_v3
  • tls1.0
  • tls1.1
  • tls1.2

Your code will have to handle this and possibly other situations based on your business logic.

Nikunj
Contributor

How to add Ip address with subnet mask (10.0.0.0/8) in source and destination field of policy rule?
{
    "layer" : "test_network_layer",
    "position" : "top",
    "name" : "test_Rule_2",
    "action": "allow", 
    "source": "all",
    "destination":"10.0.0.0/8",

    "service" : "all"
}

0 Kudos
PhoneBoy
Admin
Admin

It's the same answer as services: you must use pre-defined objects to create a rule.

Nikunj
Contributor

Yes, I need to first create an object for the rule, but host creation only takes IP address not mask value. how to create an object with ip and mask value?

0 Kudos
the_rock
Mentor
Mentor

I could be wrong, but I believe its same as when you create it from dashboard...host will just need single /32 IP address, no mask needed.

0 Kudos
PhoneBoy
Admin
Admin

Host objects are for a single IP.
A network object is used to define a network by IP and netmask.

Nikunj
Contributor

How to create a network object with 0.0.0.0/0 value? is there any alternative way? I want to set the object in the rule with 0.0.0.0/0.
I have tried to add network object via REST API but getting below error:
{
 "code" : "generic_err_invalid_parameter",
 "message" : "Invalid parameter for [IPv4 mask-length]. The invalid value [0] should be replaced by one of the following values: [1-32]"
}

0 Kudos
PhoneBoy
Admin
Admin

You do not create an object for this as one already exists.
Actually, there are two:

  • Any (a special object that can be used as a source, destination, and/or service)
  • All_Internet (a predefined "address range" object which is needed in a few cases unrelated to the Access Policy)

Both mean 0.0.0.0/0.

the_rock
Mentor
Mentor

Interesting question, but Im 99.99% sure that is not possible, but will let maybe others confirm 100%,

Timothy_Hall
Champion
Champion

Phoneboy is correct; MAC addresses are not supported in policies or objects.  At a more fundamental level this is actually impossible due to the way that the INSPECT engine is currently implemented. 

By the time a packet reaches an INSPECT instance (Firewall Worker) the Layer 2 Ethernet framing is long gone and unavailable.  SecureXL (sim) on the other hand does have access to MAC addresses and will in certain situations cache them for purposes of acceleration but that is it. 

As mentioned in my Max Capture video series, if you want to capture Layer 2 header fields or filter your capture based upon those Layer 2 fields (MAC addresses, VLAN tags, etc.), you must use either cppcap or tcpdump instead of fw monitor -e which performs its captures in INSPECT.  In theory fw monitor -F captures might someday pick up this MAC filtering capability, since this tool is capturing traffic in the sim driver, which is aware of MAC addresses to some degree but this filtering option is not currently supported by fw monitor -F.

"Max Capture: Know Your Packets" Video Series
now available at http://www.maxpowerfirewalls.com
Alex_Shpilman
Collaborator

Also, the destination device is not necessary directly connected via layer2 to the gateway, so it can't possible know anything about the destination mac address.

But if the gateway can learn about the destination device via Identity Awareness API or Identity Collector receiving syslog/pxGrid/etc and then pushing the identity to the gateway the same outcome can be achieved.

0 Kudos
_Val_
Admin
Admin

No

0 Kudos