Create a Post
cancel
Showing results for 
Search instead for 
Did you mean: 
Vladimir
Champion
Champion

Any vs. All_Internet?

Jump to solution

I see multiple references imploring admins to use All_Internet instead of *Any.

Looking at the All_Internet object, it contains a range of 0.0.0.0-255.255.255.255.

Does this object posses any kind of hidden property or unique behavior that makes it a better fit for the policy, or is it simply an alias for *Any?

0 Kudos
1 Solution

Accepted Solutions
Daniel_Taney
Advisor

There's additional discussion regarding this topic over in this thread, too, if it helps!

R80 CCSA / CCSE

View solution in original post

0 Kudos
4 Replies
Danny
Champion
Champion

The All_Internet object is just a simple network address range containing all IPv4 addresses (public and private) per default. From my point of view this is not ideal for using it within a security policy to address the public Internet, which doesn't route private networks.

I suppose it may supersede the Global Properties definition for Non Unique IP Addresses making proper Policy Verification checks harder. However, from my perspective even *Any is not ideal to address the Internet within a security policy because it means Any network, even private ones, all VPNs, Office Mode and everything.

That's why I created a dedicated topic for:

https://community.checkpoint.com/message/10464 

PhoneBoy
Admin
Admin

In practical terms, Any and All_Internet are identical.

However, when you try to use HIDE NAT on "Any" source, it doesn't work.

If you use All_Internet as the source, it will work.

See: Fail to perform Manual NAT on source with source "Any" 

There are a couple of other edge cases documented in SK where you would use All_Internet instead of Any. 

Hugo_vd_Kooij
Advisor

Actually that only makes sense in an IPv4 only world.

In the real world this is no longer the case.

0 Kudos
Daniel_Taney
Advisor

There's additional discussion regarding this topic over in this thread, too, if it helps!

R80 CCSA / CCSE

View solution in original post

0 Kudos