- CheckMates
- :
- Products
- :
- CloudMates Products
- :
- Cloud Network Security
- :
- Discussion
- :
- Rules I created is not working
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark
- Subscribe
- Mute
- Printer Friendly Page
Are you a member of CheckMates?
×- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Rules I created is not working
I have configured the checkpoint firewall in Azure. I have used Checkpoint Security Manager and Cloud Guard single gateway plan for this environment.
The environment is like this - I have created one Virtual network and there are two subnets in the Vnet. I have deployed Server Manager in the Subnet 1 and Cloud guard single gateway where its first NIC is connected to Subnet 1 and the second NIC is connected to Subnet 2. I have deployed two Azure Virtual machines in the same network only but in different Subnets like VM01 in Subnet 1 and VM02 in Subnet 2. Now I wanted to block RDP service from VM01 to Vm02 as by default they can communicate with each other. However, the rule I created in the Checkpoint Server Manager does not block the RDP from the source to the destination. what could be the possible reason behind this? why is my rule not hitting the source and destination?
I am expecting that I can block RDP for VM01 and VM02 through the rules I created in checkpoint smart Console.
Accepted Solutions
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Check your Azure VMs. The VMs are deployed automatically with a public IP address attached to their NICs. This IP is directly reachable to the Internet, not via your VNET. The VM also has a local IP on the subnet, but that's a private IP. Are you trying to reach your VM via the Azure public DNS name of "vm01-asdfadsf.<region>.cloudapp.azure.com" ? If so, then you're reaching the VM's direct-attached public IP; which will not pass through your CloudGuard firewall.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
What version?
Did you deploy from one of our templates or manually?
What shows in the logs when VM01 attempts to access VM02?
Have you confirmed the traffic is actually traversing the gateway (via tcpdump or similar)?
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I am using R80.10 version,
I have deployed the security manager and gateway from the Azure portal.
I am not sure how to confirm that the traffic is traversing through the gateway or not. Can you please let me know how can I check that and how to fix it?
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Please check the version again as R80.10 is End of Support.
Easiest way I know to check: with tcpdump on the gateway itself.
If the gateway isn't seeing the traffic, it can't enforce any sort of policy on it.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I am sorry, the version is R81.10
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I would suggest you involve TAC to resolve this issue !
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Very easy...anyway, R80.10 is totally unsupported, but regardless of version, command is the same. Say interface is eth2 and IP is 10.10.10.10
you can run below:
tcpdump -enni any host 10.10.10.10
or/and
fw monitor -e "accept host(10.10.10.10);"
Andy
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Can you send screenshot of the rule thats not working (please blur out any sensitive info)?
Also, as @PhoneBoy mentioned, its important to verify that traffic is indeed traversing the firewall, otherwise, if not, its totally logical why rule would never get hit.
Makes sense?
Andy
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
The rule works 100%, you can clearly see that from your screenshot. There are even logs showing that at the bottom.
Andy
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Yeah it's generating logs but the main purpose to create a rule is to block the RDP of the virtual machines but I am able to take RDP of the VM01 and VM02. its not blocking.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
RDP from where exactly? Remember what both @PhoneBoy and myself mentioned in previous responses, run captures to make sure that traffic even hits the firewall, because if not, it will never work.
Andy
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Check your Azure VMs. The VMs are deployed automatically with a public IP address attached to their NICs. This IP is directly reachable to the Internet, not via your VNET. The VM also has a local IP on the subnet, but that's a private IP. Are you trying to reach your VM via the Azure public DNS name of "vm01-asdfadsf.<region>.cloudapp.azure.com" ? If so, then you're reaching the VM's direct-attached public IP; which will not pass through your CloudGuard firewall.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Good point, I totally missed the config was in Azure.
Andy