Create a Post
cancel
Showing results for 
Search instead for 
Did you mean: 
Vladimir
Champion
Champion

Any vs. All_Internet?

Jump to solution

I see multiple references imploring admins to use All_Internet instead of *Any.

Looking at the All_Internet object, it contains a range of 0.0.0.0-255.255.255.255.

Does this object posses any kind of hidden property or unique behavior that makes it a better fit for the policy, or is it simply an alias for *Any?

0 Kudos
1 Solution

Accepted Solutions
Daniel_Taney
Advisor

There's additional discussion regarding this topic over in this thread, too, if it helps!

R80 CCSA / CCSE

View solution in original post

0 Kudos
4 Replies
Danny
Champion
Champion

The All_Internet object is just a simple network address range containing all IPv4 addresses (public and private) per default. From my point of view this is not ideal for using it within a security policy to address the public Internet, which doesn't route private networks.

I suppose it may supersede the Global Properties definition for Non Unique IP Addresses making proper Policy Verification checks harder. However, from my perspective even *Any is not ideal to address the Internet within a security policy because it means Any network, even private ones, all VPNs, Office Mode and everything.

That's why I created a dedicated topic for:

https://community.checkpoint.com/message/10464 

PhoneBoy
Admin
Admin

In practical terms, Any and All_Internet are identical.

However, when you try to use HIDE NAT on "Any" source, it doesn't work.

If you use All_Internet as the source, it will work.

See: Fail to perform Manual NAT on source with source "Any" 

There are a couple of other edge cases documented in SK where you would use All_Internet instead of Any. 

Hugo_vd_Kooij
Advisor

Actually that only makes sense in an IPv4 only world.

In the real world this is no longer the case.

Miracles happen while you wait. The impossible jobs take just a bit longer.
0 Kudos
Daniel_Taney
Advisor

There's additional discussion regarding this topic over in this thread, too, if it helps!

R80 CCSA / CCSE
0 Kudos