Create a Post
cancel
Showing results for 
Search instead for 
Did you mean: 
Vengatesh_SR
Contributor

About Global properties

Can you please help us the working of Accept Domain name over UDP (queries) and Accept Domain Name over TCP (Zone transfer) in the global properties.

If we enable what it exactly does.

Regards,

Vengatesh SR

8 Replies
Alisson_Lima
Contributor

Hi Vengatesh SR‌,

This option will enabled DNS queries on UDP/53 and DNS zone transfer over TCP/53 using a implicit rule. In other words, it not necessary create a rule on rulebase to accept dns traffic if this option is enabled.

Alisson Lima

Vengatesh_SR
Contributor

yes we can see the implicit rule created if we enable the Accept Domain name over UDP (queries) and Accept Domain Name over TCP (Zone transfer). We have already enabled it in our production device. We need to know if we can disable it now we will get any impact or not.

And also wanted to know what it exactly does if we kept enabled.

0 Kudos
PhoneBoy
Admin
Admin

If you disable these global properties, then DNS lookups and zone transfers through the firewall will be blocked unless it is permitted by a different rule.

If you don't know if these things are happening through the he Security Gateway, then I recommend logging Implied Rules for a time before deciding to disable these properties.

pankajagr83
Explorer

What is best practice , shold we enable accept ICMP request in implied rules?

if firewall interface is gateway for vlan and server in that vlan required to ping gateway interface what other solution? should we allow before stealth rule?

 

0 Kudos
PhoneBoy
Admin
Admin

Don't believe enabling via implied rules is strictly necessary.
ICMP would need to be allowed prior to your stealth rule, yes.

0 Kudos
Timothy_Hall
Legend Legend
Legend

Dameon brings up a good point here, and this is a topic I cover in the CCSA classes that I teach.   The stealth rule should always be one of the first rules in your Network/Firewall policy layer, but what kind of rules need to appear prior to the stealth rule?  The main ones are:

  1. Administrative Access Rules - Allowing SSH/HTTPS/4434 from trusted internal hosts/networks to the firewall itself for purposes of management via the Gaia Web interface and clish/expert mode.
  2. Ping/Traceroute - If you want the firewall to answer pings sent directly to one of its interfaces and/or show up as a visible hop in a traceroute, you'll need a rule allowing it.  Generally I don't have a problem with the firewall responding to pings/traceroutes sent from an internal reasonably-trusted network, but definitely not for the Internet.  Note that including the traceroute service in a rule used to halt SecureXL Accept Templating from that point (i.e. "acceleration disabled from rule #X"), but this limitation was lifted in gateway code version R80.10.
  3. SNMP/NMS Polling - If you have a Network Management Station (NMS) initiating SNMP polls to the firewall, you'll need an explicit rule allowing it.  Notice that it is possible to only allow the NMS to perform SNMP reads by utilizing the special service snmp-read, which would be considered best practices unless the NMS is performing SNMP set operations which is not too likely.  Netflow and external authentication connections such as RADIUS/TACACS initiated by the firewall itself will be allowed by default (implied rule "Accept outgoing packets from gateway") unless you explicitly block it.
  4. DHCP Server/Relay - If the firewall is performing DHCP Relay or acting as a DHCP server, the rules permitting this traffic must appear prior to the stealth rule.

There are a few other corner-case rules that have to appear prior to the Stealth Rule (VRRP multicast advertisements, legacy Client Authentication, SecureRemote Topology Downloads, etc.) but these are the big ones.

Gateway Performance Optimization R81.20 Course
now available at maxpowerfirewalls.com
0 Kudos
Fincher
Participant

Hi! Could you help me please, i need to watch Global Properties in cli, how can i get this?

0 Kudos
the_rock
Legend
Legend

@Alisson_Lima is 100% correct. In simple words, anything you enable in that section would allow connection on implied rule, so you dont have to create specific policy based rules for it.

 

From R80 smart console guide, you can also click on help section and read it there as well. Hope that helps.

 

  • First - Applied first, before all other rules in the Rule Base - explicit or implied
  • Last - Applied last, after all other rules in the Rule Base - explicit or implied, but before the Implicit Cleanup Rule
  • Before Last - Applied before the last explicit rule in the Rule Base
0 Kudos

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

Upcoming Events

    CheckMates Events