- CheckMates
- :
- Products
- :
- General Topics
- :
- Re: Implied Rule 0
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark
- Subscribe
- Mute
- Printer Friendly Page
Are you a member of CheckMates?
×- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Implied Rule 0
Hello!
Gateway version 80.40 (Model 15600)
Can you please explain why this is passing with this implied rule? I observe similar behavior in a log that someone attack with ssh from outside to inside.
thank you
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
One of your cluster member is connecting to Akamai based Check Point update servers. Absolutely normal.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
look at this too.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
What exactly you do expect me to see here? Please phrase your question in a way it can be understood.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Sorry. I am allowing ssh anywhere so how it is passed (as you can see in the log)?
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I can see the rule is matched on Network policy and Application control policy. Apparently you have two layers or more. You allow SSH anywhere, it passes, what is the question? What are you trying to figure our, actually?
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I am not allowing ssh, i have 2 ordered layers network and application.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Check your policy once more. There are rules matching. What is looking fishy is that your Implicit Cleanup rule says "Accept".
You must configured Implicit action to be accept for Network, which is super bad. Change it to drop.
Also make sure you read and understand you admin manual and sk112249
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I can see an accepted connection from Internal to External on Sync Interface that was accepted by Network Layer Rule 29. Second, Application layer implied rule is listed - what is wrong with that ?
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
On the application layer why is this automatically accepted? where is this rule 0 and how can i change this?
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
You do not want disallowing FWs to open outgoing connections. Lots of thinks will break.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
My question here is how ssh passed with the rule implicied clean up at network layer? i have no rule that allows ssh and at the end of my rules i have the block all enabled.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Already answered above. You have implied clean rule set to accept. That should not happen. Basically, you are wide open for any traffic which is not matched to your explicit rules.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Where this rule located ? The implicit cleanup rule 0
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
See the screenshot above. Click on Layer/Advanced
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
thank you very much, so the scenario everything is denied except allowance rule, in application and network layer the implicit cleanup rule must be at deny.
Right?
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Yes. Never ever change implied action on Network layer.
It is okay to have it Allow for Application Control though, because otherwise all non-categorized traffic will be dropped.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
My last network rule is any any block all. So you mean that this implied cleanup that we are taking about it accepts before the last rule ?
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Block or drop?
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
drop all
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
This is very odd. It seems it does not match those SHH connections you are trying to drop. In any case, change implicit action to Drop as soon as possible, and then check again