This website uses Cookies. Click Accept to agree to our website's cookie use as described in our Privacy Policy. Click Preferences to customize your cookie settings.
Accept
Reject
Preferences
ABOUT CHECKMATES CYBER SECURITY COMMUNITY & FAQ
Create a Post
Help
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

Are you a member of CheckMates?

×
Sign in with your Check Point UserCenter/PartnerMap account to access more great content and get a chance to win some Apple AirPods! If you don't have an account, create one now for free!
Vengatesh_SR
Contributor
‎2018-12-27 03:58 AM

About Global properties

Can you please help us the working of Accept Domain name over UDP (queries) and Accept Domain Name over TCP (Zone transfer) in the global properties.

If we enable what it exactly does.

Regards,

Vengatesh SR

8 Replies
Alisson_Lima
Contributor
‎2018-12-27 04:45 AM

Hi Vengatesh SR‌,

This option will enabled DNS queries on UDP/53 and DNS zone transfer over TCP/53 using a implicit rule. In other words, it not necessary create a rule on rulebase to accept dns traffic if this option is enabled.

Alisson Lima

Vengatesh_SR
Contributor
‎2018-12-27 04:49 AM

yes we can see the implicit rule created if we enable the Accept Domain name over UDP (queries) and Accept Domain Name over TCP (Zone transfer). We have already enabled it in our production device. We need to know if we can disable it now we will get any impact or not.

And also wanted to know what it exactly does if we kept enabled.

0 Kudos
PhoneBoy
Admin
Admin
‎2018-12-27 03:02 PM
In response to Vengatesh_SR

If you disable these global properties, then DNS lookups and zone transfers through the firewall will be blocked unless it is permitted by a different rule.

If you don't know if these things are happening through the he Security Gateway, then I recommend logging Implied Rules for a time before deciding to disable these properties.

pankajagr83
Explorer
‎2021-04-28 06:26 AM
In response to PhoneBoy

What is best practice , shold we enable accept ICMP request in implied rules?

if firewall interface is gateway for vlan and server in that vlan required to ping gateway interface what other solution? should we allow before stealth rule?

 

0 Kudos
PhoneBoy
Admin
Admin
‎2021-05-02 07:11 PM
In response to pankajagr83

Don't believe enabling via implied rules is strictly necessary.
ICMP would need to be allowed prior to your stealth rule, yes.

0 Kudos
Timothy_Hall
MVP Gold
MVP Gold
‎2021-05-03 06:10 AM
In response to PhoneBoy

Dameon brings up a good point here, and this is a topic I cover in the CCSA classes that I teach.   The stealth rule should always be one of the first rules in your Network/Firewall policy layer, but what kind of rules need to appear prior to the stealth rule?  The main ones are:

  1. Administrative Access Rules - Allowing SSH/HTTPS/4434 from trusted internal hosts/networks to the firewall itself for purposes of management via the Gaia Web interface and clish/expert mode.
  2. Ping/Traceroute - If you want the firewall to answer pings sent directly to one of its interfaces and/or show up as a visible hop in a traceroute, you'll need a rule allowing it.  Generally I don't have a problem with the firewall responding to pings/traceroutes sent from an internal reasonably-trusted network, but definitely not for the Internet.  Note that including the traceroute service in a rule used to halt SecureXL Accept Templating from that point (i.e. "acceleration disabled from rule #X"), but this limitation was lifted in gateway code version R80.10.
  3. SNMP/NMS Polling - If you have a Network Management Station (NMS) initiating SNMP polls to the firewall, you'll need an explicit rule allowing it.  Notice that it is possible to only allow the NMS to perform SNMP reads by utilizing the special service snmp-read, which would be considered best practices unless the NMS is performing SNMP set operations which is not too likely.  Netflow and external authentication connections such as RADIUS/TACACS initiated by the firewall itself will be allowed by default (implied rule "Accept outgoing packets from gateway") unless you explicitly block it.
  4. DHCP Server/Relay - If the firewall is performing DHCP Relay or acting as a DHCP server, the rules permitting this traffic must appear prior to the stealth rule.

There are a few other corner-case rules that have to appear prior to the Stealth Rule (VRRP multicast advertisements, legacy Client Authentication, SecureRemote Topology Downloads, etc.) but these are the big ones.

New Book: "Max Power 2026" Coming Soon
Check Point Firewall Performance Optimization
0 Kudos
Fincher
Participant
‎2021-11-29 01:37 AM
In response to PhoneBoy

Hi! Could you help me please, i need to watch Global Properties in cli, how can i get this?

0 Kudos
the_rock
MVP Diamond
MVP Diamond
‎2021-05-02 07:22 PM

@Alisson_Lima is 100% correct. In simple words, anything you enable in that section would allow connection on implied rule, so you dont have to create specific policy based rules for it.

 

From R80 smart console guide, you can also click on help section and read it there as well. Hope that helps.

 

  • First - Applied first, before all other rules in the Rule Base - explicit or implied
  • Last - Applied last, after all other rules in the Rule Base - explicit or implied, but before the Implicit Cleanup Rule
  • Before Last - Applied before the last explicit rule in the Rule Base
Best,
Andy
"Have a great day and if its not, change it"
0 Kudos

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

View All ≫
Upcoming Events

    CheckMates Events