This website uses Cookies. Click Accept to agree to our website's cookie use as described in our Privacy Policy. Click Preferences to customize your cookie settings.
Accept
Reject
Preferences
ABOUT CHECKMATES CYBER SECURITY COMMUNITY & FAQ
Create a Post
Help
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

Are you a member of CheckMates?

×
Sign in with your Check Point UserCenter/PartnerMap account to access more great content and get a chance to win some Apple AirPods! If you don't have an account, create one now for free!
Roadrunner88
Contributor
‎2024-06-04 05:27 AM

Policy Rule does not work

Hello,

 

we have a Policy with a Rule allowing traffic to single TCP port: 15672

This rule does not work, I suppose because we have er Service object, TCP-High-Ports (Includes Port range 1024 - 65535), this is shown in the log. So the Policy does not use the Selected TCP Port 15672 but uses this object, which isnt defined in this dedicated rule anbd the traffic is dropped.

How can we fix this?


0 Kudos
8 Replies
G_W_Albrecht
Legend Legend
Legend
‎2024-06-04 05:44 AM

I can neither see the rule nor your rule base - so better open an SR# with CP TAC to get this resolved !

 

CCSP - CCSE / CCTE / CTPS / CCME / CCSM Elite / SMB Specialist
0 Kudos
Roadrunner88
Contributor
‎2024-06-04 05:57 AM
In response to G_W_Albrecht

 

cp1.png

 TCP Port is defined in rule number 32

But Traffic passes on temp any any rule number 38 as service object "tcp-high-ports" 


cp2.png


cp3.png



it should pass by rule 32 not 38 already

the blacked parts of the rules are correct, the traffic should go over rule 32. 


 

0 Kudos
Bob_Zimmerman
Authority
Authority
‎2024-06-04 07:24 AM
In response to Roadrunner88

The service shown in the log doesn't correspond to anything. The actual log entry only has the port number. SmartConsole then takes that port number and tries to resolve it to an object name to be helpful. You can totally ignore the object name shown there.

In your original post, you mention the port at issue is 15600. The service in the rule you have shared is named 15672, implying it matches that port rather than 15600. Which port are you actually trying to match? Are you sure the service object in the rule matches that port? Ignore the name of the service object and only look at the contents.

0 Kudos
the_rock
Legend
Legend
‎2024-06-04 07:34 AM

In your screenshot @Roadrunner88 , it shows name as tcp 15672, NOT 15000, unless you are trying to trick us with the name 🙂

Can you verify what is the actual post number?

Andy

0 Kudos
Roadrunner88
Contributor
‎2024-06-04 10:28 PM
In response to the_rock

yes I wanted to anonymise a little bit but doesnt matter, the point is the same...

what do you mean by the post number?


the port is written in rule 32 but the firewall does not use this rule , but uses the any any rule with this high port range.

source and destination in rule 32 is correct.


0 Kudos
Bob_Zimmerman
Authority
Authority
‎2024-06-05 07:01 AM
In response to Roadrunner88

If the traffic is not matching an access rule, then one of four things is happening. Either:

  1. The source of the traffic is not in the source of the rule
  2. The destination of the traffic is not in the destination of the rule
  3. The service of the traffic is not in the service of the rule
  4. The rule is not on the firewall in question

One of those four items is the cause 99.999% of the time traffic doesn't match an access rule someone expects. Check the values of the objects in the rule, not the names. Make sure the firewall is in the "Install On" column, or that column is set to Policy Targets and the policy's installation targets includes the firewall. Make sure the policy has been pushed.

the_rock
Legend
Legend
‎2024-06-05 07:03 AM
In response to Bob_Zimmerman

Valid points, but sometimes even with those conditions, rule might not get matched.

0 Kudos
the_rock
Legend
Legend
‎2024-06-05 07:03 AM
In response to Roadrunner88

I meant port number, what is the post number in that service?

Andy

0 Kudos

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

View All ≫
Upcoming Events

    Sort by:
    CheckMates Events