Create a Post
cancel
Showing results for 
Search instead for 
Did you mean: 
Nidhi01
Participant
Jump to solution

Rules I created is not working

I have configured the checkpoint firewall in Azure. I have used Checkpoint Security Manager and Cloud Guard single gateway plan for this environment.

The environment is like this - I have created one Virtual network and there are two subnets in the Vnet. I have deployed Server Manager in the Subnet 1 and Cloud guard single gateway where its first NIC is connected to Subnet 1 and the second NIC is connected to Subnet 2. I have deployed two Azure Virtual machines in the same network only but in different Subnets like VM01 in Subnet 1 and VM02 in Subnet 2. Now I wanted to block RDP service from VM01 to Vm02 as by default they can communicate with each other. However, the rule I created in the Checkpoint Server Manager does not block the RDP from the source to the destination. what could be the possible reason behind this? why is my rule not hitting the source and destination?

I am expecting that I can block RDP for VM01 and VM02 through the rules I created in checkpoint smart Console.

0 Kudos
1 Solution

Accepted Solutions
Duane_Toler
Advisor

Check your Azure VMs.  The VMs are deployed automatically with a public IP address attached to their NICs.  This IP is directly reachable to the Internet, not via your VNET.  The VM also has a local IP on the subnet, but that's a private IP.  Are you trying to reach your VM via the Azure public DNS name of "vm01-asdfadsf.<region>.cloudapp.azure.com" ?  If so, then you're reaching the VM's direct-attached public IP; which will not pass through your CloudGuard firewall.

 

 

View solution in original post

13 Replies
PhoneBoy
Admin
Admin

What version?
Did you deploy from one of our templates or manually?
What shows in the logs when VM01 attempts to access VM02?
Have you confirmed the traffic is actually traversing the gateway (via tcpdump or similar)?

0 Kudos
Nidhi01
Participant

I am using R80.10 version,

I have deployed the security manager and gateway from the Azure portal.

I am not sure how to confirm that the traffic is traversing through the gateway or not. Can you please let me know how can I check that and how to fix it?

0 Kudos
PhoneBoy
Admin
Admin

Please check the version again as R80.10 is End of Support.
Easiest way I know to check: with tcpdump on the gateway itself.
If the gateway isn't seeing the traffic, it can't enforce any sort of policy on it.

0 Kudos
Nidhi01
Participant

I am sorry, the version is R81.10 

0 Kudos
G_W_Albrecht
Legend Legend
Legend

I would suggest you involve TAC to resolve this issue !

CCSP - CCSE / CCTE / CTPS / CCME / CCSM Elite / SMB Specialist
0 Kudos
the_rock
Legend
Legend

Very easy...anyway, R80.10 is totally unsupported, but regardless of version, command is the same. Say interface is eth2 and IP is 10.10.10.10

you can run below:

tcpdump -enni any host 10.10.10.10

or/and

fw monitor -e "accept host(10.10.10.10);"

Andy

0 Kudos
the_rock
Legend
Legend

Can you send screenshot of the rule thats not working (please blur out any sensitive info)?

Also, as @PhoneBoy mentioned, its important to verify that traffic is indeed traversing the firewall, otherwise, if not, its totally logical why rule would never get hit.

Makes sense?

Andy

0 Kudos
Nidhi01
Participant

Thanks Andy,

I have attached a screenshot of the rules I created. 

 

0 Kudos
the_rock
Legend
Legend

The rule works 100%, you can clearly see that from your screenshot. There are even logs showing that at the bottom.

Andy

0 Kudos
Nidhi01
Participant

Yeah it's generating logs but the main purpose to create a rule is to block the RDP of the virtual machines but I am able to take RDP of the VM01 and VM02. its not blocking.

0 Kudos
the_rock
Legend
Legend

RDP from where exactly? Remember what both @PhoneBoy and myself mentioned in previous responses, run captures to make sure that traffic even hits the firewall, because if not, it will never work.

Andy

0 Kudos
Duane_Toler
Advisor

Check your Azure VMs.  The VMs are deployed automatically with a public IP address attached to their NICs.  This IP is directly reachable to the Internet, not via your VNET.  The VM also has a local IP on the subnet, but that's a private IP.  Are you trying to reach your VM via the Azure public DNS name of "vm01-asdfadsf.<region>.cloudapp.azure.com" ?  If so, then you're reaching the VM's direct-attached public IP; which will not pass through your CloudGuard firewall.

 

 

the_rock
Legend
Legend

Good point, I totally missed the config was in Azure.

 

Andy

0 Kudos

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.