This website uses Cookies. Click Accept to agree to our website's cookie use as described in our Privacy Policy. Click Preferences to customize your cookie settings.
Accept
Reject
Preferences
ABOUT CHECKMATES CYBER SECURITY COMMUNITY & FAQ
Create a Post
Help
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

Are you a member of CheckMates?

×
Sign in with your Check Point UserCenter/PartnerMap account to access more great content and get a chance to win some Apple AirPods! If you don't have an account, create one now for free!
David_C1
Advisor
‎2024-03-26 12:33 PM

Implied rules and dynamic objects

I've been playing with Implied Rules in my lab. Currently have things set like this:

Implied rules config.jpg

With this set, these rules appear (among others):

Implied Rules list.jpg

(we have generally stayed away from implied rules - those rules with source "Any" make me uncomfortable).

My specific question - is there a published list of what all these dynamic objects (e.g. FW1 Management, FW1 Module) are? Is there a way to resolve them on the gateway? (dynamic_objects command doesn't seem to help).

Dave

0 Kudos
6 Replies
the_rock
MVP Platinum
MVP Platinum
‎2024-03-26 05:49 PM

I believe they simply refer to mgmt and fw object(s), but I could be mistaken.

Andy

Best,
Andy
0 Kudos
David_C1
Advisor
‎2024-03-27 06:35 AM
In response to the_rock

Most of these are somewhat self-explanatory, at least to someone who has been working with Check Point for some time. However, if we enable implied rules in production, we will need to provide a vendor provided explanation of what these objects represent, since they will be part of our access policy. Here's a list of the objects in the implied rules based on my config above:

According to Gateway MTA Settings
MTA enabled Gateways
According to Gateway ICAP Settings
ICAP enabled Gateways
Analyzer Server
FW1 Management
FW1 Module
Log Servers
RT-Physical-Servers
Ldap-Servers
Tacacs-Servers
Radius-Servers
UFP-Servers
CVP-Servers
LocalMachine
NG Policy Server
Reporting Server
SmartPortal
Gui-clients

CPMI-clients

In general, I know enabling implied rules is considered best/recommended practice (by Check Point support), but again, rules with a source of "any" does not strike me as best security practice.  Feedback welcome.

Dave

 

0 Kudos
the_rock
MVP Platinum
MVP Platinum
‎2024-03-27 07:00 AM
In response to David_C1

I get your point. Honestly, if I were you, I would try get an official TAC answer for this. 

Just my 2 cents...

Andy

Best,
Andy
0 Kudos
David_C1
Advisor
‎2024-03-29 06:39 AM
In response to the_rock

Andy,

Good suggestion, and I've opened a case. Surprised there isn't documentation around this, but not the first time I've been surprised by similar lack of documentation.

Dave

(1)
David_C1
Advisor
‎2024-03-29 10:38 AM
In response to the_rock

Ticket has been opened and support directed me to sk17745, which provides some information. It's not complete (and honestly doesn't really answer the question I asked) but it's a start. I also found these interesting implied rules that are created when you enable "Accept Control connections"

 

implied rule.jpg

Why interesting?

services.jpg

Either sk52421 is inaccurate or Check Point is enabling rules for services that have not been supported since the stone age.

Dave

 

 

the_rock
MVP Platinum
MVP Platinum
‎2024-03-29 11:40 AM
In response to David_C1

You really got me curious about it now too. I clicked help section when viewing implied rules and link that comes up is this:

Implied Policy - Rules (checkpoint.com)

On that link, you get directed to below:

https://support.checkpoint.com/results/sk/sk119497

Andy

Best,
Andy
0 Kudos

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

View All ≫
Upcoming Events

    CheckMates Events