This website uses Cookies. Click Accept to agree to our website's cookie use as described in our Privacy Policy. Click Preferences to customize your cookie settings.
Accept
Reject
Preferences
ABOUT CHECKMATES CYBER SECURITY COMMUNITY & FAQ
Create a Post
Help
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

Are you a member of CheckMates?

×
Sign in with your Check Point UserCenter/PartnerMap account to access more great content and get a chance to win some Apple AirPods! If you don't have an account, create one now for free!
rmsource_dotcom
Participant
‎2022-02-03 03:43 PM

CPHE - Firewall Blade Blocking Traffic - BlockAllTmpLog Rule

We are seeing many firewall drops in the CP Harmony Endpoint logs stating that it is due to the "BlockAllTmpLog" Access Rule. We have one inbound rule that says any any allow, and one outbound rule that says any any allow.

My question is where do I find documentation or understand what the BlockAllTmpLog Access Rule is?

Below is a sample log

cp_severity=Low
loguid={0x61fc5ed3,0x0,0x80164a4,0xc091799}
sequencenum=16777215
version=1
client_version=84.70.0990
dst_dns_name=**************
ep_rule_id=0
event_type=Firewall
host_type=MacBookAir8,2
installed_products=Firewall Anti-Malware VPN Forensics Threat Emulation
local_time=1643967085
machine_guid=
os_name=macOS
os_version=11.6.1
policy_date=1643929240
policy_guid={F71F2C17-E66B-495B-87ED-2B155CC10CE7}
policy_name=Default Firewall settings for the entire organization
policy_type=10
product=Firewall
program_name=CPFWD
rule_name=BlockAllTmpLog
src_dns_name=**************
user_name=bill.samuelson@microsoft.com
user_sid=S-1-5-21-2229093338-1663155082-2634640864-65716

 

~Keith Smith

0 Kudos
4 Replies
the_rock
Legend
Legend
‎2022-02-03 07:01 PM

Hey Keith,

Im not an expert in harmony endpoint (more firewall guy), but one thing caught my eye when reviewing the log you pasted. Just curious, the line that gives the policy name says Default Firewall settings for the entire organization...to me, logically, that would equate to default implicit rule on regular firewall that would say any any block. Is there any way you can confirm rule(s) in that policy?

Again, apologies if it sounds like a dumb question, but just going based on my own logic here : - )

Andy

0 Kudos
Chris_Atkinson
Employee Employee
Employee
‎2022-03-07 07:49 AM

Does the issue persists for you on the latest release E86.20?

CCSM R77/R80/ELITE
0 Kudos
rmsource_dotcom
Participant
‎2022-03-07 08:10 AM
In response to Chris_Atkinson

That's a good question. We only have a few clients on 86.20 and do not see those clients with drops from BlockAllTmpLog.

For everyone so you know what it is, it is in position 0 and is an implied rule created by Check Point. There is no documentation on it internally/externally from CP as of a couple weeks ago. You cannot change or view the settings of this rule.

0 Kudos
jgarcias
Participant
‎2022-04-01 03:40 AM
In response to rmsource_dotcom

Did you find the solution? I'm also having some macbooks with network problems in E84.70 matching in "BlockAllTmpLog" rule...

0 Kudos

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

View All ≫
Upcoming Events

    CheckMates Events