HTTP and HTTPS requests to external interfaces cre...

dehaasm · ‎2025-05-13

When trying to access the firewall gateway object public IP address with https this is allowed and we see the gateway certificate, this should be blocked by the firewall. This behavior is also explained here;

https://support.checkpoint.com/results/sk/sk105740

We use R81.20 take 84

captive portal and identity awareness are both configured on internal interfaces.

The setting platform portal accessibility is configured as "according to the firewall policy", and currently allowed in implicit rules. The configuration option is greyed out so we cannot change it to internal interfaces only. How can we change this?

gateway properties platform portal

we dont use remote access VPN

same issue with take 90

PhoneBoy · ‎2025-05-13

While I'm not certain, it may be that Identity Awareness requires that particular setting, thus it cannot be changed.
In any case, for rules to work as expected, you will need to set the kernel variable as described in sk107540.

Lesley · ‎2025-05-13

I think you mean this SK correct? https://support.checkpoint.com/results/sk/sk165937

And indeed do you use Identity Awareness? For example Identity collectors connect on port 443 on the firewall for ID sharing.

-------
Please press "Accept as Solution" if my post solved it 🙂

dehaasm · ‎2025-05-19

yes we use identity awareness and we also have captive portal, so we would like to block it from internet not from everywhere. I understand when setting custom port for management we cant change this behavior. But I believe we need the custom port for management to not interfere with identity awareness. How could we fix this with custom management port AND only allow 80/443 from internal?

dehaasm · ‎2025-05-21

Yes I guess this is the only solution gonna test

In case the kernel parameter fw_ignore_before_drop_rules is set to 1 , Security Gateway matching code does not consider the before drop implied rule.

In case this kernel parameter is set to 1, you must allow the connection in the rulebase (for the multiportal or tcp tunneling)

the_rock · ‎2025-05-13

You can change it by removing the custom port if you use one for web UI.

Andy

Best,
Andy

the_rock · ‎2025-05-13

@dehaasm Proof attached.

Andy

Best,
Andy

dehaasm · ‎2025-05-19

are you saying that we could change to setting to internal only and then apply the custom port again would that work or is there a different technical reason why it is greyed out when having a custom port configured for management?

the_rock · ‎2025-05-21

It would not work if you change to custom port, it would be greyed out, its been like that for a long time.

Andy

Best,
Andy

Are you a member of CheckMates?

HTTP and HTTPS requests to external interfaces create implied rule 0 accepts in Logs & Monitor