- Products
- Learn
- Local User Groups
- Partners
- More
On-Premise SD-WAN Management
Register HereWhat's New in R82.10?
Watch Here AI Security Masters E8:
Claude Mythos: New Era in Cyber Security
CheckMates Go:
The Moment Before
I have an r80.40 cluster where a risk has been detected i.e. "Outgoing packets from Gateway towards any destination is enabled"
I did a little digging in and it seems this alert is being created as option "Accept outgoing packets originating from Gateway" in Global properties is enabled.
My query is : is it recommended to disable this option ? i read a few R80.40 documents and it seems i can use an updatable object for Checkpoint update services by creating a rule in ACL. is this a recommended approach ? any chance i break something if i disable this option from global properties.
Thanks
It is the easy option NOT to disable this - all CP services can be contacted by the GW. To see this as a risk points to severe restraints, but yes, you can disable the default and use sk131852 for the settings from sk106251.
It is the easy option NOT to disable this - all CP services can be contacted by the GW. To see this as a risk points to severe restraints, but yes, you can disable the default and use sk131852 for the settings from sk106251.
Thanks for the reply..i went through these SKs and i m comfortable with enabling Checkpoint updatable object for GWs.. my only worry is what other traffic this will impact..i mean i don't want to enable access to checkpoint cloud but in the process break anything else like stop control connection traffic which could break the cluster or connection with mgmt server
This is a valid concern. Implied rule allowing GW to send any outgoing traffic it needs to send out. This option is enabled by default, and is it fact recommended by Check Point. This rule covers all outgoingGW connectivity, not only for Check Point services, but for other needs: DNS, certificate validation in case of HTTPSi, and more.
For the management connections specifically, there is another implied rule "Allow control connections", this is also enabled by default and recommended.
i guess i will go back and leave it as it is as it is a recommendation..any document i can present to support this statement ?
thanks
sk43401 discourages disabling implied rules.
I totally agree with @G_W_Albrecht . Also, if you actually read what it says in the help section, it pretty much boils down to the same thing he said.
Accepts all packets from connections that originate at the Check Point Security Gateway.
Allow Security Gateways to access Check Point online services.
Leaderboard
Epsum factorial non deposit quid pro quo hic escorol.
| User | Count |
|---|---|
| 70 | |
| 23 | |
| 7 | |
| 5 | |
| 4 | |
| 4 | |
| 4 | |
| 3 | |
| 3 | |
| 3 |
Tue 14 Jul 2026 @ 10:00 AM (PDT)
AI Security Masters E11: READY OR NOT: Securing the AI Enterprise 3/5 - AI Workforce SecurityThu 30 Jul 2026 @ 10:00 AM (PDT)
AI Security Masters E12: READY OR NOT: Securing the AI Enterprise 4/5 - AI GatewayThu 20 Aug 2026 @ 10:00 AM (PDT)
AI Security Masters E13: READY OR NOT: Securing the AI Ent 5/5 - AI Research & Threat LandscapeTue 14 Jul 2026 @ 10:00 AM (PDT)
AI Security Masters E11: READY OR NOT: Securing the AI Enterprise 3/5 - AI Workforce SecurityThu 30 Jul 2026 @ 10:00 AM (PDT)
AI Security Masters E12: READY OR NOT: Securing the AI Enterprise 4/5 - AI GatewayThu 20 Aug 2026 @ 10:00 AM (PDT)
AI Security Masters E13: READY OR NOT: Securing the AI Ent 5/5 - AI Research & Threat LandscapeAbout CheckMates
Learn Check Point
Advanced Learning
YOU DESERVE THE BEST SECURITY