- Products
- Learn
- Local User Groups
- Partners
- More
Check Point Jump-Start Online Training
Now Available on CheckMates for Beginners!
Why do Hackers Love IoT Devices so Much?
Join our TechTalk on Aug 17, at 5PM CET | 11AM EST
Welcome to Maestro Masters!
Talk to Masters, Engage with Masters, Be a Maestro Master!
ZTNA Buyer’s Guide
Zero Trust essentials for your most valuable assets
The SMB Cyber Master
Boost your knowledge on Quantum Spark SMB gateways!
As YOU DESERVE THE BEST SECURITY
Upgrade to our latest GA Jumbo
CheckFlix!
All Videos In One Space
Is there a way to disable verification of a clean up rule?
I would like to have a way to have a global "OMG" policy that is super limited in access that I could apply to a CMA. The idea is this global policy is all pre rules (meaning they apply above local policy not below) that say allow x y z and then drop everything else (clean up rule here). This way everything in local policy is dropped as well.
When i go into OMG mode we reassign and deploy. When we're done with OMG mode we apply old global policy and local policy kicks back in.
Maybe there is a better way to think of it, but I'm pretty gassed at the moment. BTW none of the gateways in question are above R77.30.
Why not just do ip_p >= 1?
That should cover TCP, UDP, and pretty much anything else for that matter.
Maybe use All_Internet instead of Any in the global rule?
I'll try that tomorrow!
Dang it.. its already tomorrow. I'll try that later today.
No dice! That being said it looks like I can do a any any ANY_Service group drop and pass a rule validation.
However it looks like there isn't an easy to say any service in the service group. I can add range objects for tcp and udp, but it seems like would have to make "other" objects for each IP protocol number.
I guess there is a way to do an inspect rule for a protocol range, just don't know the syntax at the moment.
Sounds pretty kludgy.
Why not just do ip_p >= 1?
That should cover TCP, UDP, and pretty much anything else for that matter.
yeah, I was looking at ip filter examples and thought that was a function that required a protocol number, but not so much.
I ended up doing ip_p >= 0
And it works fine. I can deploy a drop any any Any_Protocol rule in the middle of global policy now.
One downside is everything dropped is listed as Any_Protocol (protocol/service) but I can live with that I think.
About CheckMates
Learn Check Point
Advanced Learning
YOU DESERVE THE BEST SECURITY