This website uses Cookies. Click Accept to agree to our website's cookie use as described in our Privacy Policy. Click Preferences to customize your cookie settings.
Accept
Reject
Preferences
ABOUT CHECKMATES CYBER SECURITY COMMUNITY & FAQ
Create a Post
Help
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

Are you a member of CheckMates?

×
Sign in with your Check Point UserCenter/PartnerMap account to access more great content and get a chance to win some Apple AirPods! If you don't have an account, create one now for free!
Nidhi01
Participant
‎2023-09-18 03:25 AM
Jump to solution

Rules I created is not working

I have configured the checkpoint firewall in Azure. I have used Checkpoint Security Manager and Cloud Guard single gateway plan for this environment.

The environment is like this - I have created one Virtual network and there are two subnets in the Vnet. I have deployed Server Manager in the Subnet 1 and Cloud guard single gateway where its first NIC is connected to Subnet 1 and the second NIC is connected to Subnet 2. I have deployed two Azure Virtual machines in the same network only but in different Subnets like VM01 in Subnet 1 and VM02 in Subnet 2. Now I wanted to block RDP service from VM01 to Vm02 as by default they can communicate with each other. However, the rule I created in the Checkpoint Server Manager does not block the RDP from the source to the destination. what could be the possible reason behind this? why is my rule not hitting the source and destination?

I am expecting that I can block RDP for VM01 and VM02 through the rules I created in checkpoint smart Console.

0 Kudos
1 Solution

Accepted Solutions
Duane_Toler
MVP Silver
MVP Silver
‎2023-09-22 09:27 AM
In response to Nidhi01
Jump to solution

Check your Azure VMs.  The VMs are deployed automatically with a public IP address attached to their NICs.  This IP is directly reachable to the Internet, not via your VNET.  The VM also has a local IP on the subnet, but that's a private IP.  Are you trying to reach your VM via the Azure public DNS name of "vm01-asdfadsf.<region>.cloudapp.azure.com" ?  If so, then you're reaching the VM's direct-attached public IP; which will not pass through your CloudGuard firewall.

 

 

--
Ansible for Check Point APIs series: https://www.youtube.com/@EdgeCaseScenario and Substack

View solution in original post

13 Replies
PhoneBoy
Admin
Admin
‎2023-09-18 08:15 AM
Jump to solution

What version?
Did you deploy from one of our templates or manually?
What shows in the logs when VM01 attempts to access VM02?
Have you confirmed the traffic is actually traversing the gateway (via tcpdump or similar)?

0 Kudos
Nidhi01
Participant
‎2023-09-18 08:21 AM
In response to PhoneBoy
Jump to solution

I am using R80.10 version,

I have deployed the security manager and gateway from the Azure portal.

I am not sure how to confirm that the traffic is traversing through the gateway or not. Can you please let me know how can I check that and how to fix it?

0 Kudos
PhoneBoy
Admin
Admin
‎2023-09-18 11:03 AM
In response to Nidhi01
Jump to solution

Please check the version again as R80.10 is End of Support.
Easiest way I know to check: with tcpdump on the gateway itself.
If the gateway isn't seeing the traffic, it can't enforce any sort of policy on it.

0 Kudos
Nidhi01
Participant
‎2023-09-18 09:07 PM
In response to PhoneBoy
Jump to solution

I am sorry, the version is R81.10 

0 Kudos
G_W_Albrecht
MVP Silver
MVP Silver
‎2023-09-19 04:36 AM
In response to Nidhi01
Jump to solution

I would suggest you involve TAC to resolve this issue !

CCSP - CCSE / CCTE / CTPS / CCME / CCSM Elite / SMB Specialist
0 Kudos
the_rock
MVP Diamond
MVP Diamond
‎2023-09-18 11:33 AM
In response to Nidhi01
Jump to solution

Very easy...anyway, R80.10 is totally unsupported, but regardless of version, command is the same. Say interface is eth2 and IP is 10.10.10.10

you can run below:

tcpdump -enni any host 10.10.10.10

or/and

fw monitor -e "accept host(10.10.10.10);"

Andy

Best,
Andy
0 Kudos
the_rock
MVP Diamond
MVP Diamond
‎2023-09-18 08:37 AM
Jump to solution

Can you send screenshot of the rule thats not working (please blur out any sensitive info)?

Also, as @PhoneBoy mentioned, its important to verify that traffic is indeed traversing the firewall, otherwise, if not, its totally logical why rule would never get hit.

Makes sense?

Andy

Best,
Andy
0 Kudos
Nidhi01
Participant
‎2023-09-18 09:06 PM
In response to the_rock
Jump to solution

Thanks Andy,

I have attached a screenshot of the rules I created. 

 

Preview file
185 KB
0 Kudos
the_rock
MVP Diamond
MVP Diamond
‎2023-09-19 03:19 AM
In response to Nidhi01
Jump to solution

The rule works 100%, you can clearly see that from your screenshot. There are even logs showing that at the bottom.

Andy

Best,
Andy
0 Kudos
Nidhi01
Participant
‎2023-09-19 03:22 AM
In response to the_rock
Jump to solution

Yeah it's generating logs but the main purpose to create a rule is to block the RDP of the virtual machines but I am able to take RDP of the VM01 and VM02. its not blocking.

0 Kudos
the_rock
MVP Diamond
MVP Diamond
‎2023-09-19 05:37 AM
In response to Nidhi01
Jump to solution

RDP from where exactly? Remember what both @PhoneBoy and myself mentioned in previous responses, run captures to make sure that traffic even hits the firewall, because if not, it will never work.

Andy

Best,
Andy
0 Kudos
Duane_Toler
MVP Silver
MVP Silver
‎2023-09-22 09:27 AM
In response to Nidhi01
Jump to solution

Check your Azure VMs.  The VMs are deployed automatically with a public IP address attached to their NICs.  This IP is directly reachable to the Internet, not via your VNET.  The VM also has a local IP on the subnet, but that's a private IP.  Are you trying to reach your VM via the Azure public DNS name of "vm01-asdfadsf.<region>.cloudapp.azure.com" ?  If so, then you're reaching the VM's direct-attached public IP; which will not pass through your CloudGuard firewall.

 

 

--
Ansible for Check Point APIs series: https://www.youtube.com/@EdgeCaseScenario and Substack
the_rock
MVP Diamond
MVP Diamond
‎2023-09-22 12:10 PM
In response to Duane_Toler
Jump to solution

Good point, I totally missed the config was in Azure.

 

Andy

Best,
Andy
0 Kudos

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

View All ≫
Upcoming Events

    CheckMates Events