This website uses Cookies. Click Accept to agree to our website's cookie use as described in our Privacy Policy. Click Preferences to customize your cookie settings.
Accept
Reject
Preferences
ABOUT CHECKMATES CYBER SECURITY COMMUNITY & FAQ
Create a Post
Help
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

Are you a member of CheckMates?

×
Sign in with your Check Point UserCenter/PartnerMap account to access more great content and get a chance to win some Apple AirPods! If you don't have an account, create one now for free!
Matlu
Advisor
‎2023-02-01 10:48 AM
Jump to solution

CPEarlyDrop Mechanism

Hello, team.

Could someone enlighten me with the following question.

How does the "mechanism" of "CPEarlyDrop" work?

Sometimes it is really annoying, as I understand a little bit the SK, although not 100%.

I would like to know, what is the best way to avoid "running into" this mechanism, when creating a security rule, to allow or deny an access to certain origin(s) of your network.

I share with you an image of a log of my client's environment, where having created an explicit rule to allow the connection from an origin to a destination, the traffic does not MATCH with this rule, but it does MATCH with the CPEarlyDrop.

 

CPEarly.jpg

I will be attentive to your kind comments.

Regards.

0 Kudos
1 Solution

Accepted Solutions
HeikoAnkenbrand
Champion Champion
Champion
‎2023-02-01 02:31 PM
Jump to solution

The mechanism is described here:
sk111643: Early drop of a connection before the final rule match

It is well explained in the SK video.

If that is not enough, please describe your question in more detail.

➜ CCSM Elite, CCME, CCTE ➜ www.checkpoint.tips

View solution in original post

5 Replies
HeikoAnkenbrand
Champion Champion
Champion
‎2023-02-01 02:31 PM
Jump to solution

The mechanism is described here:
sk111643: Early drop of a connection before the final rule match

It is well explained in the SK video.

If that is not enough, please describe your question in more detail.

➜ CCSM Elite, CCME, CCTE ➜ www.checkpoint.tips
Matlu
Advisor
‎2023-02-01 03:34 PM
In response to HeikoAnkenbrand
Jump to solution

Hello,

I understand that this mechanism "appears" when you have many "similar" rules, right?

Something like if you have 4 rules, that all work with "Source" and "Destination" as "any", "any", and you just "customize" the services, changing the actions, between "Allow" and "deny".

If you decide to put a 5th rule in the list that has almost the same criteria as the first 4, I understand that the "mechanism" of CPEarlyDrop appears, is this correct?

My question is, when this type of mechanism appears, at the moment of creating an explicit rule, what is the best solution method, to make the traffic match with the rule that I just created, and not with the CPEarlyDrop?

Thanks for your comments.

Thanks for your comments.

0 Kudos
PhoneBoy
Admin
Admin
‎2023-02-01 04:13 PM
In response to Matlu
Jump to solution

CPEarlyDrop kicks primarily when multiple rules kick in with similar source/destination, Services that aren't just simple TCP/UDP services, and the action is Drop.
The "services that aren't simple TCP/UDP services" are key because they require packets beyond the first SYN to make a rulebase match and is when CPEarlyDrop kicks in.
Rules that involve only simple TCP/UDP services with the action Accept won't be subject to CPEarlyDrop since they can be resolved on the first packet.

To clean up the problem, you should probably disable (temporarily) the mechanism as described in the SK and see what rules the traffic matches.
The offending rule(s) should be logged and you can adjust them accordingly. 

0 Kudos
Matlu
Advisor
‎2023-02-01 04:29 PM
In response to PhoneBoy
Jump to solution

Hello,

 

One doubt, when you talk about "Simple TCP/UDP services", you are referring to "known ports", for example the 179 which is, as far as I remember the port for BGP, or for example the port for RDP 3389.

Is it these services you are referring to, in your comment?

 

Is it a viable option to take the rule I created, and put it at the beginning of the rule base, just to "test" the traffic?

 

This way I avoid disabling perhaps the CPEarlyDrop mechanism.

 

Greetings.

PhoneBoy
Admin
Admin
‎2023-02-01 05:46 PM
In response to Matlu
Jump to solution

You are correct on both accounts.

0 Kudos

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

View All ≫
Upcoming Events

    CheckMates Events