This website uses Cookies. Click Accept to agree to our website's cookie use as described in our Privacy Policy. Click Preferences to customize your cookie settings.
Accept
Reject
Preferences
ABOUT CHECKMATES CYBER SECURITY COMMUNITY & FAQ
Create a Post
Help
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

Are you a member of CheckMates?

×
Sign in with your Check Point UserCenter/PartnerMap account to access more great content and get a chance to win some Apple AirPods! If you don't have an account, create one now for free!
bcleve1982
Explorer
Explorer
‎2022-03-03 09:36 AM
Jump to solution

Core Inspection triggers before Access Rules?

Hello all.  I use email alerts for the "Small PMTU" protection so it emails me whenever one is triggered, so I can then add them to a blocklist.  I created a group object that contains all of the blocked IPs and I use that throughout my rulebase. The problem is, I keep getting emails even from those I have already blocked.  I do not want this, so I created an Access Rule #1 that blocks all traffic from the Rejected_Hosts object.  I still receive email alerts from IPs I have already blocked.  Logs are showing that it is triggering by the Small PMTU protection and not the Access Rule #1.

I did some searching and found out that, somewhat recently, core inspections were now part of the Access Rules.  I'm assuming these are somewhere in the implied rules?  My end goal is to have only new offenders trigger the alert and not currently blocked users.  Any ideas?

0 Kudos
1 Solution

Accepted Solutions
PhoneBoy
Admin
Admin
‎2022-03-03 12:43 PM
Jump to solution

Actually, the fact Core Protections are done in the firewall is not new.
They've always been done prior to access Access Rules (firewall rules in R77.30 and earlier). 

As to your specific question, I don't believe there is a function to log/alert only on new IPs. 

View solution in original post

0 Kudos
3 Replies
PhoneBoy
Admin
Admin
‎2022-03-03 12:43 PM
Jump to solution

Actually, the fact Core Protections are done in the firewall is not new.
They've always been done prior to access Access Rules (firewall rules in R77.30 and earlier). 

As to your specific question, I don't believe there is a function to log/alert only on new IPs. 

0 Kudos
bcleve1982
Explorer
Explorer
‎2022-03-03 01:14 PM
In response to PhoneBoy
Jump to solution

Thank you for the response.  Is there a way, via exceptions, that I could exclude the "Rejected_hosts" group from triggering email alerts?  Couldn't I have, under the default profile, email alerts for Small PMTU but create an exception for the Rejected_hosts group?  Wouldn't that prevent the group from triggering the alert altogether but they should be rejected by the access rule at that point?

0 Kudos
PhoneBoy
Admin
Admin
‎2022-03-03 03:31 PM
In response to bcleve1982
Jump to solution

Exceptions can only be used to exclude certain hosts from enforcement, not from the logging of said enforcement. 
Assuming Rejected_Hosts has the hosts you want to block anyway, that seems like a logical approach to solve the issue.

0 Kudos

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

View All ≫
Upcoming Events

    CheckMates Events