This website uses Cookies. Click Accept to agree to our website's cookie use as described in our Privacy Policy. Click Preferences to customize your cookie settings.
Accept
Reject
Preferences
ABOUT CHECKMATES CYBER SECURITY COMMUNITY & FAQ
Create a Post
Help
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

Are you a member of CheckMates?

×
Sign in with your Check Point UserCenter/PartnerMap account to access more great content and get a chance to win some Apple AirPods! If you don't have an account, create one now for free!
B_P
Advisor
‎2023-06-21 01:53 PM

sk113479 | Why are packets being allowed that are not in policy?

We see in the firewall logs for an inbound port 22/sftp connection being allowed through -- at least the first packet is (two of them actually, each one a second apart). Not only is it allowed through the firewall, but our host-based firewall on the windows server detected the connection as well. The problem: we don't allow this ip/port combo through the firewall.

In the firewall log we see "Connection terminated before the Security Gateway was able to make a decision: Insufficient data passed" and a reference to sk113479. But the question is -- why is even one packet getting through when there's nothing even related to this type of connection?

I understand that if the firewall sees a possible match it might do this, but I don't see how that would be the case with our policy and especially with the limited inbound connections we have. As much as I love seeing packets coming from a VPN server on the other side of the world being let through into our network, is there a way to prevent it?

Gateway is running R81.10.

0 Kudos
11 Replies
Chris_Atkinson
MVP Gold CHKP MVP Gold CHKP
MVP Gold CHKP
‎2023-06-21 04:53 PM

Do you have the protocol signatures option enabled? e.g.

proto (1).jpg

Reviewing the issue with TAC might also be appropriate in terms of the level of detail you're happy to share.

CCSM R77/R80/ELITE
0 Kudos
B_P
Advisor
‎2023-06-22 10:25 AM
In response to Chris_Atkinson

There are two firewall rules related to the public IP I'm seeing this activity on. One is a custom TCP port and the other does not have "Protocol Signature" enabled. Do we know if it is where "Protocol Signature" is enabled on any service in any rule in the policy then it behaves this or does it also have to be related to the IP's involved?

0 Kudos
PhoneBoy
Admin
Admin
‎2023-06-22 10:26 AM

Most likely the rules that "potentially match" are not specific enough or include things that invoke App Control.
Can we see ALL the "potential match" rules in your rulebase for this traffic?

0 Kudos
B_P
Advisor
‎2023-06-22 02:46 PM
In response to PhoneBoy

I'm surprised with our current multi-layer rulebase, it's not enough logical separation to avoid this. I'm not seeing anything that would be a "potential match" until you get down into sub-layers that would have filtered out this traffic simply from the child's parent layer.

My rule base is essentially:

1 Source: Internet IPs (New Layer)

  - 1.1 Allow rules

2 Source: Internal IPs (New Layer)

  - 2.1 Allow rules

So what you're saying is that because I have "potential matches" on the 2.1 rules for something coming from the internet (because source may be blank on those or destination is an application like Facebook) then it's going to allow traffic from the internet like it was in the 1.1 layer?. That seems pretty wild to me.

What if I took all the inbound internet rules and put them in their own ordered Access Control layer like what was done for GEO IP? Would that be enough of a logical separation for the engine to not evaluate other stuff in the main layer?

0 Kudos
PhoneBoy
Admin
Admin
‎2023-06-22 03:53 PM
In response to B_P

Rules with "Any" service shouldn't cause this, it's rules that involve App Control/URL Filtering services.
We would need to see the exact rules involved (including the top-level rules leading to nested layers) in order to assist.
This might be better done through the TAC: https://help.checkpoint.com or possibly your Check Point SE.

0 Kudos
B_P
Advisor
‎2023-08-02 06:50 AM

Just a follow-up, we duplicated out our Source Internet rules to its own ordered layer without App & URL filtering enabled on it and it started blocking traffic normally. "Duplicated" because we still had to leave the rules in the final ordered layer to Allow acceptable traffic.

🚩 CPNotEnoughDataForRuleMatch does not mean only a few packets were let through for traffic identification.............. For example with FTP (Protocol Signature not checked), full authentication with the service can happen before the gateway steps in and blocks it like it should. We saw '230 Login OK' packets being sent back and the gateway was logging a block.............

It also advertises to the public that you have publicly reachable services even though the firewall is set to whitelist source IPs.

0 Kudos
PhoneBoy
Admin
Admin
‎2023-08-21 03:56 PM
In response to B_P

This speaks to the services used in the relevant rules.

In a Firewall only layer, the only valid services are ones that can be matched on the first packet (TCP/UDP services).
If you use App Control/URLF services, those services may require multiple packets to match (or not).
Note that the service FTP is a "simple" service, even though it has an INSPECT handler associated.

B_P
Advisor
‎2023-08-25 09:33 AM
In response to PhoneBoy

Yeah -- so if anyone publishes services out to the Internet and their firewall policy has App Control/URLF enabled -- they are susceptible to attacks from the general public regardless if they have a source restriction defined or not.

0 Kudos
PhoneBoy
Admin
Admin
‎2023-08-25 04:25 PM
In response to B_P

It depends on the construction of the policy.

0 Kudos
B_P
Advisor
‎2023-08-29 10:02 AM
In response to PhoneBoy

Can you expand on that?

0 Kudos
PhoneBoy
Admin
Admin
‎2023-08-29 02:29 PM
In response to B_P

It comes down to the exact “services” or “applications” that are used in the relevant rules involving the same source and destination.
This is relevant due to the column-based matching used to evaluate the rulebase: https://community.checkpoint.com/t5/Management/Unified-Policy-Column-based-Rule-Matching/td-p/9888
A service like SSH or https will match on the first packet.
A “service” like Gmail cannot be identified on the first packet and will require several packets to be permitted before a final decision is made.

Order of the rules matters as well.

0 Kudos

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

View All ≫
Upcoming Events

    Sort by:
    CheckMates Events