cancel
Showing results for 
Search instead for 
Did you mean: 
Create a Post
Highlighted

Domain based IPS exception

Hello, could not find a solution for this. Some users need SSH access with a random port range to a domain based object. Reason is that domain can exist of 200+ IP addresses so domain object makes sense.  From a firewall perspective this works fine. But IPS SSH over Non Standard Ports protection is blocking the connection as it should. However, when I want to make an exception it does not allow the domain object as Destination. Is this indeed a limitation ? That would not make my very happy. Or is there another solution where I don't have to make an exception for Internet or configure all 200 IP addresses (which can change on regular basis)

We are running R80.10 on gateways and R80.20 on Management server.

kind regards,

Mikel

0 Kudos
3 Replies
Highlighted

Re: Domain based IPS exception

Why not make the exception with source user group instead ?

0 Kudos
Highlighted

Re: Domain based IPS exception

That would still mean that for this user group a total exception for this protection ? I prefer to narrow it down so they can ssh to this specific domain on higher ports but not to other environments. So preferably user group as source, domain as destination 

0 Kudos
Highlighted

Re: Domain based IPS exception

Domain objects can only be used in the Access Control policy layers.  They cannot be used in Threat Prevention which includes exceptions.  It is possible to force a domain object into a TP policy via the SmartConsole by creating a brand new one right in the cell of a TP rule/exception, but then this happens:  sk122295: Threat Prevention blades cause problems when the domain object is defined

also

sk124852: Can Domain Objects be used in Geo Protection exceptions?

 

Book "Max Power 2020: Check Point Firewall Performance Optimization" Third Edition
Now Available at www.maxpowerfirewalls.com
0 Kudos