Create a Post
cancel
Showing results for 
Search instead for 
Did you mean: 
zeromahesh
Explorer

Mobile Access Web Portal Access Matching Rule Issue

Hi All,

 

I have been experiencing below issue related to Mobile Access Portal.

My requirement is to just block specific Public IPs from accessing Mobile Access Portal. What I've done is, I change Mobile Access->Portal Settings->According to the firewall policy to enabled and placed an explicit security rule to block required source IPs and then below that placed an explicit security rule to allow any source IP to Mobile Access Portal.

My Observation:

My Mobile Access Portal got blocked as expected to the required blocked IP addresses. But issue is when I checked smart log it showed me that blocked requests are also matched with an implied rule and the action is accept instead of my explicit block rule. But other public IPs matched with my explicit allow rule where as I expected.

 

So my SIEM tool alerting us Blocked IPs are gaining access without getting blocked based on implied rule log.

 

0 Kudos
Reply
9 Replies
PhoneBoy
Admin
Admin

Are you actually seeing two logs (one for the implied rule accepting and one for the block rule)?

0 Kudos
Reply
zeromahesh
Explorer

What I see is when I access Mobile Access Portal using non blocked IP it matches to the explicit rule which allow access to mobile portal. When I access using blocked IP using explicit block rule matches to implicit rule and action shows as accept. But portal getting denied with SSL error. Some logs shows as denied by multiportal infrastructure.

 

0 Kudos
Reply
PhoneBoy
Admin
Admin

Multiportal allows multiple portals to share the same port (e.g. Gaia WebUI, MAB, UserCheck).
However, access (i.e. the initial TCP handshake) is generally permitted by implied rules, which is needed to determine which portal to activate.
If you don’t want multiportal to respond at all, then you have to disable multiportal functionality per: https://supportcenter.checkpoint.com/supportcenter/portal?action=portlets.SearchResultMainAction&eve...
However, this means you will need to manually configure ALL the relevant portals to use a unique port.

0 Kudos
Reply
zeromahesh
Explorer

Hi,

Currently I’ve already set Gia portal (Platform) Accessibility settings to “Internal Interface only”. Mobile Access Portal Accessibility option to “ According to firewall policy”. So what are the other portals published through all the interfaces by default and how to change port or interface.

0 Kudos
Reply
PhoneBoy
Admin
Admin

Off the top of my head:

  • Gaia Platform Portal (OS configuration)
  • Mobile Access Blade
  • Captive Portal (for Identity Awareness)
  • UserCheck 
  • Visitor Mode for Remote Access

There may be a few others.
However, disabling/changing all those may not disable multiportal and the relevant implied rules.

0 Kudos
Reply
zeromahesh
Explorer

Hi,

Major issue that I'm facing is, when Implied rule matches for the connections from explicit rule blocked IPs even though portal is not loaded implied rule log says connection accepted. This incident is alerted by the SIEM tool. How to overcome this issue.

0 Kudos
Reply
PhoneBoy
Admin
Admin

Seems like you should tune this in the SIEM.
However, if I’m understanding the macro in sk165937 correctly, where it shows you what section to comment out to entirely disable this behavior, you may be able to simply remove the following from the definition:

IMPLIED_LOG,  

This will cause the gateway to still accept the connection as it’s doing now but not generate a log message.
Don’t necessarily recommend this approach, tuning the SIEM would be better.

0 Kudos
Reply
zeromahesh
Explorer

Hi,

Thank you for your suggestion. Please let me know what will happen if I enable separate portals in separate IPs in same interface. Will that solved the issue the way that I'm expecting...?

0 Kudos
Reply
PhoneBoy
Admin
Admin

The issue is coming from Multiportal itself, not the other portals in use.
Most of the portals can be moved to a different port on the same IP if you prefer, but that doesn’t disable multiportal.

0 Kudos
Reply