Create a Post
cancel
Showing results for 
Search instead for 
Did you mean: 
Netadmin2020
Collaborator

Implied Rule 0

Hello!

Gateway version 80.40 (Model 15600)

implied 0.PNG

implied 0a.PNG

Can you please explain why this is passing with this implied rule? I observe similar behavior in a log that someone attack with ssh from outside to inside.

thank you 

0 Kudos
20 Replies
_Val_
Admin
Admin

One of your cluster member is connecting to Akamai based Check Point update servers. Absolutely normal.

Screenshot 2021-03-25 at 11.43.41.png

0 Kudos
Netadmin2020
Collaborator

look at this too.

ok1.PNG

ok2.PNG

0 Kudos
_Val_
Admin
Admin

What exactly you do expect me to see here? Please phrase your question in a way it can be understood.

0 Kudos
Netadmin2020
Collaborator

Sorry. I am allowing ssh anywhere so how it is passed (as you can see in the log)?

0 Kudos
_Val_
Admin
Admin

I can see the rule is matched on Network policy and Application control policy. Apparently you have two layers or more. You allow SSH anywhere, it passes, what is the question? What are you trying to figure our, actually?

0 Kudos
Netadmin2020
Collaborator

I am not allowing ssh, i have 2 ordered layers network and application.

0 Kudos
_Val_
Admin
Admin

Check your policy once more. There are rules matching. What is looking fishy is that your Implicit Cleanup rule says "Accept". 

Screenshot 2021-03-25 at 12.10.08.png

You must configured Implicit action to be accept for Network, which is super bad. Change it to drop.

Screenshot 2021-03-25 at 12.15.59.png

Also make sure you read and understand you admin manual and sk112249


G_W_Albrecht
Legend Legend
Legend

I can see an accepted connection from Internal to External on  Sync Interface that was accepted by Network Layer Rule 29. Second, Application layer implied rule is listed - what is wrong with that ?

CCSP - CCSE / CCTE / CTPS / CCME / CCSM Elite / SMB Specialist
0 Kudos
Netadmin2020
Collaborator

On the application layer why is this automatically accepted? where is this rule 0 and how can i change this?

0 Kudos
_Val_
Admin
Admin

You do not want disallowing FWs to open outgoing connections. Lots of thinks will break.

0 Kudos
Netadmin2020
Collaborator

My question here is how ssh passed with the rule implicied clean up at network layer? i have no rule that allows ssh and at the end of my rules i have the block all enabled.

0 Kudos
_Val_
Admin
Admin

Already answered above. You have implied clean rule set to accept. That should not happen. Basically, you are wide open for any traffic which is not matched to your explicit rules.

0 Kudos
Netadmin2020
Collaborator

Where this rule located ? The implicit cleanup rule 0

0 Kudos
_Val_
Admin
Admin

See the screenshot above. Click on Layer/Advanced

0 Kudos
Netadmin2020
Collaborator

thank you very much, so the scenario everything is denied except allowance rule, in application and network layer the implicit cleanup rule must be at deny.

Right?

0 Kudos
_Val_
Admin
Admin

Yes. Never ever change implied action on Network layer.

It is okay to have it Allow for Application Control though, because otherwise all non-categorized traffic will be dropped.

0 Kudos
Netadmin2020
Collaborator

My last network rule is any any block all. So you mean that this implied cleanup that we are taking about it accepts before the last rule ?

0 Kudos
_Val_
Admin
Admin

Block or drop?

Netadmin2020
Collaborator

drop all

0 Kudos
_Val_
Admin
Admin

This is very odd. It seems it does not match those SHH connections you are trying to drop. In any case, change implicit action to Drop as soon as possible, and then check again

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

Upcoming Events

    CheckMates Events