This website uses Cookies. Click Accept to agree to our website's cookie use as described in our Privacy Policy. Click Preferences to customize your cookie settings.
Accept
Reject
Preferences
ABOUT CHECKMATES CYBER SECURITY COMMUNITY & FAQ
Create a Post
Help
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

Are you a member of CheckMates?

×
Sign in with your Check Point UserCenter/PartnerMap account to access more great content and get a chance to win some Apple AirPods! If you don't have an account, create one now for free!
Mikula83
Contributor
‎2025-07-08 01:27 AM
Jump to solution

Check point "Internet" object

Hello,

I have found in logs that Check Point doesn't include all public ip addresses when using "Internet" object in policy.

 

Can you give me explanation about this behaviour.

 

Instead of using "Internet" object I have made a workaround using public IP address ranges:

1.0.0.0 - 9.255.255.255

11.0.0.0 - 126.255.255.255

128.0.0.0 - 169.253.255.255

169.255.0.0 - 172.15.255.255

172.32.0.0 - 192.167.255.255

192.169.0.0 - 223.255.255.255

 

0 Kudos
1 Solution

Accepted Solutions
Tal_Paz-Fridman
Employee
Employee
‎2025-07-08 01:47 AM
Jump to solution

Please look at this SK

https://support.checkpoint.com/results/sk/sk64543

 

View solution in original post

0 Kudos
6 Replies
Tal_Paz-Fridman
Employee
Employee
‎2025-07-08 01:47 AM
Jump to solution

Please look at this SK

https://support.checkpoint.com/results/sk/sk64543

 

0 Kudos
Timothy_Hall
Legend Legend
Legend
‎2025-07-08 11:32 AM
In response to Tal_Paz-Fridman
Jump to solution

Exactly, one quirk with object Internet is that traffic entering a VPN tunnel will not match it, even if the traffic is leaving on the External interface.

 

Gaia 4.18 (R82) Immersion Tips, Tricks, & Best Practices Video Course
Now Available at https://shadowpeak.com/gaia4-18-immersion-course
0 Kudos
Chris_Atkinson
Employee Employee
Employee
‎2025-07-08 02:55 AM
Jump to solution

How are you using this object in your policy and what is the topology of the gateway defined like?

More information will assist us in clarifying the behavior for you, further to the resource provided by @Tal_Paz-Fridman 

CCSM R77/R80/ELITE
0 Kudos
_Val_
Admin
Admin
‎2025-07-08 03:03 AM
Jump to solution

As @Tal_Paz-Fridman already mentioned, the "Internet" object is a function of your GW topology. 

0 Kudos
Mikula83
Contributor
‎2025-07-08 07:17 AM
In response to _Val_
Jump to solution

I have attached to you "Topology" and "Policy" picture for better understanding. When I used "Internet" object as destination in Internet inline layer instead of public IP ranges (on picture red rectangle) some ntp services were dropped although rule 6.4 says "Permit all" so I have to create rule id 7 and permit ntp service.

Where is mistake?

It works before but not for all public ip addresses.

Preview file
138 KB
Preview file
39 KB
0 Kudos
PhoneBoy
Admin
Admin
‎2025-07-08 12:06 PM
Jump to solution

The various ways to describe the Internet are discussed in this thread: https://community.checkpoint.com/t5/Management/Properly-defining-the-Internet-within-a-security-poli...

The object "Internet" can only be used with App Control/URL Filtering rules.
The rules you showed in the screenshots below can all be matched on simple TCP/UDP services.

0 Kudos

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

View All ≫
Upcoming Events

    Sort by:
    CheckMates Events