This website uses Cookies. Click Accept to agree to our website's cookie use as described in our Privacy Policy. Click Preferences to customize your cookie settings.
Accept
Reject
Preferences
ABOUT CHECKMATES CYBER SECURITY COMMUNITY & FAQ
Create a Post
Help
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

Are you a member of CheckMates?

×
Sign in with your Check Point UserCenter/PartnerMap account to access more great content and get a chance to win some Apple AirPods! If you don't have an account, create one now for free!
gurowar
Contributor
‎2024-02-27 01:47 PM
Jump to solution

Statefull Firewall

Good day all;

I have a question I have an internal server that is initiating a HTTPS connection to AWS via the internet, the connection fails and when I check it is being dropped by the clean up rule.  I thought that since this is a statefull firewall and the connection is initialed internally I wouldn't need to apply a policy to allow this connection.  What am I doing wrong?

 

Thank you in advance!!!

Warren

Preview file
13 KB
0 Kudos
1 Solution

Accepted Solutions
Lesley
MVP Gold
MVP Gold
‎2024-02-28 12:59 AM
Jump to solution

Looks like you don't have a firewall rule for this traffic.

Should be something like:

src: internal IP

dst: aws

port:443

allow

You don't have to make a rule for src;AWS, dst: internal IP. That is the statefull part

-------
Please press "Accept as Solution" if my post solved it 🙂

View solution in original post

8 Replies
Chris_Atkinson
MVP Platinum CHKP MVP Platinum CHKP
MVP Platinum CHKP
‎2024-02-27 02:50 PM
Jump to solution

There needs to be a rule allowing the initiator of the connection, then the reply traffic will be statefully matched.

Do you have rules allowing the internal zone or subnets outbound?

CCSM R77/R80/ELITE
the_rock
MVP Diamond
MVP Diamond
‎2024-02-27 06:50 PM
Jump to solution

As Chris said, you need a rule to allow initial connection, not the other way around, as it would be stateful.

Best,

Andy

Best,
Andy
"Have a great day and if its not, change it"
Lesley
MVP Gold
MVP Gold
‎2024-02-28 12:59 AM
Jump to solution

Looks like you don't have a firewall rule for this traffic.

Should be something like:

src: internal IP

dst: aws

port:443

allow

You don't have to make a rule for src;AWS, dst: internal IP. That is the statefull part

-------
Please press "Accept as Solution" if my post solved it 🙂
gurowar
Contributor
‎2024-02-29 06:33 AM
In response to Lesley
Jump to solution

Thanks guys yeah I don't have a rule in place yet, I got caught up because I tried to ping 8.8.8.8 and when it didn't work I started focusing on that.  I thought all outbound connectivity was allowed by default but thank you for your help I will put in a rule for aws.

Thank you guys!!!

 

Warren

0 Kudos
the_rock
MVP Diamond
MVP Diamond
‎2024-02-29 06:39 AM
In response to gurowar
Jump to solution

As long as its fixed mate, now you know for next time 🙂

Best,

Andy

Best,
Andy
"Have a great day and if its not, change it"
0 Kudos
gurowar
Contributor
‎2024-02-29 06:42 AM
In response to the_rock
Jump to solution

Yes that is true, thank you again for your help!!

Thank you, sir!!

Warren

0 Kudos
the_rock
MVP Diamond
MVP Diamond
‎2024-02-29 06:45 AM
In response to gurowar
Jump to solution

No worries. Put it this way...regardless of what fw you use, Cisco, Sonicwall, CP, FGT, PAN...makes no difference, you just need to know that when you place a rule for OUTBOUND connection to the Internet, no need for return rule, its stateful at that point, unless obviously you need to allow someone to access your host on the LAN from the Internet, you need to do NAT, port forwarding, what have you...you get the idea 🙂

Best,

Andy

Best,
Andy
"Have a great day and if its not, change it"
0 Kudos
Timothy_Hall
MVP Gold
MVP Gold
‎2024-02-28 07:02 AM
Jump to solution

If this HTTPS traffic is subject to NAT, make sure you are using the "original" pre-NAT IP addresses for matching in your Access Control policy.  It won't match properly against the post-NAT addresses and will fall to the cleanup rule.

New Book: "Max Power 2026" Coming Soon
Check Point Firewall Performance Optimization

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

View All ≫
Upcoming Events

    CheckMates Events