Create a Post
cancel
Showing results for 
Search instead for 
Did you mean: 
Contributor

Implied rules

Hi,

I have two questions related to implied rules:

  1. We historically have tried to avoid using implied rules to have better control of the traffic. What is the best practice regarding this?
  2. When viewing the implied rules they all seem to have action Accept (or Encrypt&Continue). However, in the logs there is traffic dropped on implied rule (rule 0). What is the explanation for this?

We are running R80.20 JHA 183.

Thanks for your help!

Best regards,

Harry

11 Replies
Champion
Champion

1. I would assume to use the implied rules is the best practice - but also other considerations are valid. To  replace an implied rule by a manually created one changes logging only...

2. Drops on implied rule (rule 0) can be caused by (Core) IPS Protections, like protocol handlers, that are checked before rulebase (see sk136392, sk155152 for examples).

Admin
Admin

The implied rules you can set via Global Properties are largely a “horses for courses” discussion as far as whether you use them or not.
There are some implied rules that aren’t in the UI…for good reason.
SIC and/or VPN-related traffic are good examples of this.
There are ways of modifying these rules if you absolutely must do it, but it is not recommended.

Likewise, there are several sanity checks done on packets, some of which cannot (easily) be disabled.
Anti-spoofing is something you can effect the configuration of.
There are also a handful of IPS “Core” protections (actually enforced in the firewall) that may also apply. 

Contributor

Thank you very much @G_W_Albrecht and @PhoneBoy  for the information and help!

0 Kudos
Reply
Contributor

@PhoneBoy,  do I understand correctly that we could safely disable all configuration options in SmartConsole for implied rules (including "Accept control connections") as long as we have the required rules in the rule base?

Thanks again for your help!

Champion
Champion

That is my personal experience - i know of such configurations and they work. But the only need would be to if certain traffic should be dropped that the implied rule would accept.

Admin
Admin

@net-harry technically yes. In practice, this is very cumbersome approach, and it is hard to manage

Employee
Employee

HI @net-harry ,

See sk43401: 

Check Point does not support replacing implied rules with explicit rules.

Warning: If the predefined implied rules are disabled, policy installation could fail on managed Security Gateways, even if explicit rules are defined in place of the predefined implied rules.

Important Note: If you choose to disable all Implied Rules, you will need to manually configure the explicit rules required for the proper operation and communication of managed Security Gateways with the Security Management Server.

 

 

Ish. Disabling implied rules gives you quite a few ways to shoot yourself in the foot quite impressively. Among other things, implied rules don't go over VPNs. I have personally seen situations (multiple times!) where somebody disabled implied rules in favor of explicit rules, then they lost the ability to push policy to any of their remote firewalls. All the remote firewalls expected the management server to reach them over a VPN now, but they couldn't negotiate the VPN because they couldn't get the CRL from the management server, because the VPN needed to be up for them to be able to get to the management. It was very time-consuming to fix, because they didn't have technical staff at these sites all the time, and it took hands on the firewall to unload the policy and get things working again.

Unless you are willing to accept the risk of things being down for several days when (not if) you make a mistake in your explicit rules, this is a bad idea.

Contributor

Thank you very much @G_W_Albrecht@_Val_@MarkWeber and @Bob_Zimmerman for your feedback!

Looks like the recommendation is to have implied rules enabled. Is enabling "Accept control connections" enough or are additional implied rules also recommended?

Which are actually enabled by default?

Thanks again for your help!

Harry

0 Kudos
Reply
Admin
Admin

This is how default looks:

Screenshot 2020-12-01 at 07.52.44.png

0 Kudos
Reply
Advisor

That being said it sure would be nice if you didn't have to hack things to get ldap or cprid over ipsec.

0 Kudos
Reply