This website uses Cookies. Click Accept to agree to our website's cookie use as described in our Privacy Policy. Click Preferences to customize your cookie settings.
Accept
Reject
Preferences
ABOUT CHECKMATES CYBER SECURITY COMMUNITY & FAQ
Create a Post
Help
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

Are you a member of CheckMates?

×
Sign in with your Check Point UserCenter/PartnerMap account to access more great content and get a chance to win some Apple AirPods! If you don't have an account, create one now for free!
Matlu
MVP Silver
MVP Silver
‎2023-07-19 09:59 AM

Traffic does not match with explicit rule

Hello, Team

I have the following scenario, which I would like to clarify my doubt.

I have a Cluster R81.10

We have a publication of a service, so that from the Internet (From certain public IPs, can access our service pointing to a TCP port 1122)

The problem I see is that the traffic is not doing MATCH with the first explicit rule that I have, which has the #585, but is doing MATCH with a rule that is below with #594, and I do not understand the "why", because the first rule has a "custom" group where we are explicitly declaring the IP that we want to connect to our server, but for some reason, the traffic "ignores" the first rule, and goes to the rule that is below.

R3.pngR2.pngR1.png

Is this a normal behavior? Is it something that can be corrected?

The purpose is that the traffic makes MATCH with the 585.

I hope you can support me with your point of view.

Greetings.

0 Kudos
12 Replies
the_rock
MVP Diamond
MVP Diamond
‎2023-07-19 10:24 AM

The reason I see is that one has source any.

Best,
Andy
"Have a great day and if its not, change it"
0 Kudos
Matlu
MVP Silver
MVP Silver
‎2023-07-19 10:34 AM
In response to the_rock

Buddy,

 

But rule #585, is much more explicit than rule #594, other than that, it is more "up" in the rulebase.

 

I don't see the logic in it. 😕

0 Kudos
the_rock
MVP Diamond
MVP Diamond
‎2023-07-19 10:48 AM
In response to Matlu

K, so whats the source IP you are coming from and is it included in that group in rule 585?

Andy

Best,
Andy
"Have a great day and if its not, change it"
0 Kudos
Matlu
MVP Silver
MVP Silver
‎2023-07-19 10:55 AM
In response to the_rock

Rule #585, has as its origin a general group.
The group is called GRP_SFTP_200.48.202.52.

Within this group, there are several additional "subgroups", 1 of them is the group GRP_RE, in which there are several public IPs to which we are allowing access to our public one.

R3.png

 

R1.png

So, I do not understand why the traffic "ignores" this rule, and goes to the rule that has as origin an ANY.

0 Kudos
the_rock
MVP Diamond
MVP Diamond
‎2023-07-19 10:58 AM
In response to Matlu

Maybe try disable,re-enable rule,push policy and test. Otherwise, try below example

https://sc1.checkpoint.com/documents/R81/WebAdminGuides/EN/CP_R81_CLI_ReferenceGuide/Topics-CLIG/FWG...

Andy

Best,
Andy
"Have a great day and if its not, change it"
0 Kudos
Matlu
MVP Silver
MVP Silver
‎2023-07-19 11:00 AM
In response to the_rock

That's like a Cisco Packet-Tracert, isn't it?

To validate the rule for certain traffic?

0 Kudos
the_rock
MVP Diamond
MVP Diamond
‎2023-07-19 11:05 AM
In response to Matlu

Sort of...

Best,
Andy
"Have a great day and if its not, change it"
0 Kudos
Matlu
MVP Silver
MVP Silver
‎2023-07-19 11:11 AM
In response to the_rock

I got almost the same result as what can be seen by the SmartConsole.

R4.png

As I interpret it, it first "matches" rule #585.

0 Kudos
the_rock
MVP Diamond
MVP Diamond
‎2023-07-19 11:45 AM
In response to Matlu

Thats what it shows, right...BUT, as I said, if it fails, I would try what I found to be easy fix in the past. Disable rule 585, push policy, re-enable, push policy. If that fails, disable rule 594, push policy and test. Does traffic get dropped?

Andy

Best,
Andy
"Have a great day and if its not, change it"
0 Kudos
Matlu
MVP Silver
MVP Silver
‎2023-07-19 05:12 PM
In response to the_rock

We have not observed "traffic down", but for auditing purposes, the traffic should match the rule that has been defined for it (Rule #585).

0 Kudos
the_rock
MVP Diamond
MVP Diamond
‎2023-07-19 05:24 PM
In response to Matlu

I agree bro, you are 100% right. I cant see why its not catching that rule, UNLESS there is some sort of nat or something causing it. If not, then I would get in touch with TAC to solve it via remote session. Before that, try my suggestion and see what happens.

Best,
Andy
"Have a great day and if its not, change it"
0 Kudos
PhoneBoy
Admin
Admin
‎2023-07-20 05:30 AM

This is probably going to require the TAC to investigate.
https://help.checkpoint.com 

0 Kudos

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

View All ≫
Upcoming Events

    Sort by:
    CheckMates Events