This website uses Cookies. Click Accept to agree to our website's cookie use as described in our Privacy Policy. Click Preferences to customize your cookie settings.
Accept
Reject
Preferences
ABOUT CHECKMATES CYBER SECURITY COMMUNITY & FAQ
Create a Post
Help
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

Are you a member of CheckMates?

×
Sign in with your Check Point UserCenter/PartnerMap account to access more great content and get a chance to win some Apple AirPods! If you don't have an account, create one now for free!
zeromahesh
Explorer
‎2020-12-16 07:19 PM

Mobile Access Web Portal Access Matching Rule Issue

Hi All,

 

I have been experiencing below issue related to Mobile Access Portal.

My requirement is to just block specific Public IPs from accessing Mobile Access Portal. What I've done is, I change Mobile Access->Portal Settings->According to the firewall policy to enabled and placed an explicit security rule to block required source IPs and then below that placed an explicit security rule to allow any source IP to Mobile Access Portal.

My Observation:

My Mobile Access Portal got blocked as expected to the required blocked IP addresses. But issue is when I checked smart log it showed me that blocked requests are also matched with an implied rule and the action is accept instead of my explicit block rule. But other public IPs matched with my explicit allow rule where as I expected.

 

So my SIEM tool alerting us Blocked IPs are gaining access without getting blocked based on implied rule log.

 

0 Kudos
9 Replies
PhoneBoy
Admin
Admin
‎2020-12-18 07:53 PM

Are you actually seeing two logs (one for the implied rule accepting and one for the block rule)?

0 Kudos
zeromahesh
Explorer
‎2020-12-18 07:58 PM
In response to PhoneBoy

What I see is when I access Mobile Access Portal using non blocked IP it matches to the explicit rule which allow access to mobile portal. When I access using blocked IP using explicit block rule matches to implicit rule and action shows as accept. But portal getting denied with SSL error. Some logs shows as denied by multiportal infrastructure.

 

0 Kudos
PhoneBoy
Admin
Admin
‎2020-12-19 11:12 AM

Multiportal allows multiple portals to share the same port (e.g. Gaia WebUI, MAB, UserCheck).
However, access (i.e. the initial TCP handshake) is generally permitted by implied rules, which is needed to determine which portal to activate.
If you don’t want multiportal to respond at all, then you have to disable multiportal functionality per: https://supportcenter.checkpoint.com/supportcenter/portal?action=portlets.SearchResultMainAction&eve...
However, this means you will need to manually configure ALL the relevant portals to use a unique port.

0 Kudos
zeromahesh
Explorer
‎2020-12-19 12:48 PM
In response to PhoneBoy

Hi,

Currently I’ve already set Gia portal (Platform) Accessibility settings to “Internal Interface only”. Mobile Access Portal Accessibility option to “ According to firewall policy”. So what are the other portals published through all the interfaces by default and how to change port or interface.

0 Kudos
PhoneBoy
Admin
Admin
‎2020-12-19 07:12 PM
In response to zeromahesh

Off the top of my head:

  • Gaia Platform Portal (OS configuration)
  • Mobile Access Blade
  • Captive Portal (for Identity Awareness)
  • UserCheck 
  • Visitor Mode for Remote Access

There may be a few others.
However, disabling/changing all those may not disable multiportal and the relevant implied rules.

0 Kudos
zeromahesh
Explorer
‎2020-12-19 10:18 PM
In response to PhoneBoy

Hi,

Major issue that I'm facing is, when Implied rule matches for the connections from explicit rule blocked IPs even though portal is not loaded implied rule log says connection accepted. This incident is alerted by the SIEM tool. How to overcome this issue.

0 Kudos
PhoneBoy
Admin
Admin
‎2020-12-19 10:33 PM
In response to zeromahesh

Seems like you should tune this in the SIEM.
However, if I’m understanding the macro in sk165937 correctly, where it shows you what section to comment out to entirely disable this behavior, you may be able to simply remove the following from the definition:

IMPLIED_LOG,  

This will cause the gateway to still accept the connection as it’s doing now but not generate a log message.
Don’t necessarily recommend this approach, tuning the SIEM would be better.

0 Kudos
zeromahesh
Explorer
‎2020-12-19 10:40 PM
In response to PhoneBoy

Hi,

Thank you for your suggestion. Please let me know what will happen if I enable separate portals in separate IPs in same interface. Will that solved the issue the way that I'm expecting...?

0 Kudos
PhoneBoy
Admin
Admin
‎2020-12-20 09:57 AM
In response to zeromahesh

The issue is coming from Multiportal itself, not the other portals in use.
Most of the portals can be moved to a different port on the same IP if you prefer, but that doesn’t disable multiportal.

0 Kudos

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

View All ≫
Upcoming Events

    CheckMates Events