Create a Post
cancel
Showing results for 
Search instead for 
Did you mean: 
rmsource_dotcom
Participant

CPHE - Firewall Blade Blocking Traffic - BlockAllTmpLog Rule

We are seeing many firewall drops in the CP Harmony Endpoint logs stating that it is due to the "BlockAllTmpLog" Access Rule. We have one inbound rule that says any any allow, and one outbound rule that says any any allow.

My question is where do I find documentation or understand what the BlockAllTmpLog Access Rule is?

Below is a sample log

cp_severity=Low
loguid={0x61fc5ed3,0x0,0x80164a4,0xc091799}
sequencenum=16777215
version=1
client_version=84.70.0990
dst_dns_name=**************
ep_rule_id=0
event_type=Firewall
host_type=MacBookAir8,2
installed_products=Firewall Anti-Malware VPN Forensics Threat Emulation
local_time=1643967085
machine_guid=
os_name=macOS
os_version=11.6.1
policy_date=1643929240
policy_guid={F71F2C17-E66B-495B-87ED-2B155CC10CE7}
policy_name=Default Firewall settings for the entire organization
policy_type=10
product=Firewall
program_name=CPFWD
rule_name=BlockAllTmpLog
src_dns_name=**************
user_name=bill.samuelson@microsoft.com
user_sid=S-1-5-21-2229093338-1663155082-2634640864-65716

 

~Keith Smith

0 Kudos
4 Replies
the_rock
Champion
Champion

Hey Keith,

Im not an expert in harmony endpoint (more firewall guy), but one thing caught my eye when reviewing the log you pasted. Just curious, the line that gives the policy name says Default Firewall settings for the entire organization...to me, logically, that would equate to default implicit rule on regular firewall that would say any any block. Is there any way you can confirm rule(s) in that policy?

Again, apologies if it sounds like a dumb question, but just going based on my own logic here : - )

Andy

0 Kudos
Chris_Atkinson
Employee
Employee

Does the issue persists for you on the latest release E86.20?

0 Kudos
rmsource_dotcom
Participant

That's a good question. We only have a few clients on 86.20 and do not see those clients with drops from BlockAllTmpLog.

For everyone so you know what it is, it is in position 0 and is an implied rule created by Check Point. There is no documentation on it internally/externally from CP as of a couple weeks ago. You cannot change or view the settings of this rule.

0 Kudos
jgarcias
Participant

Did you find the solution? I'm also having some macbooks with network problems in E84.70 matching in "BlockAllTmpLog" rule...

0 Kudos