This website uses Cookies. Click Accept to agree to our website's cookie use as described in our Privacy Policy. Click Preferences to customize your cookie settings.
Accept
Reject
Preferences
ABOUT CHECKMATES & FAQ
Create a Post
Help
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

Are you a member of CheckMates?

×
Sign in with your Check Point UserCenter/PartnerMap account to access more great content and get a chance to win some Apple AirPods! If you don't have an account, create one now for free!
John_Fleming
Advisor
‎2022-03-21 09:25 PM
Jump to solution

Disable verification of clean up rule - MDM - Global rules

Is there a way to disable verification of a clean up rule?

I would like to have a way to have a global "OMG" policy that is super limited in access that I could apply to a CMA. The idea is this global policy is all pre rules (meaning they apply above local policy not below) that say allow x y z and then drop everything else (clean up rule here). This way everything in local policy is dropped as well.

When i go into OMG mode we reassign and deploy. When we're done with OMG mode we apply old global policy and local policy kicks back in.

Maybe there is a better way to think of it, but I'm pretty gassed at the moment. BTW none of the gateways in question are above R77.30.

0 Kudos
1 Solution

Accepted Solutions
PhoneBoy
Admin
Admin
‎2022-03-22 06:29 PM
In response to John_Fleming
Jump to solution

Why not just do ip_p >= 1?
That should cover TCP, UDP, and pretty much anything else for that matter.

View solution in original post

0 Kudos
5 Replies
PhoneBoy
Admin
Admin
‎2022-03-21 09:43 PM
Jump to solution

Maybe use All_Internet instead of Any in the global rule?

John_Fleming
Advisor
‎2022-03-21 09:50 PM
In response to PhoneBoy
Jump to solution

I'll try that tomorrow!

Dang it.. its already tomorrow. I'll try that later today.

John_Fleming
Advisor
‎2022-03-22 07:55 AM
In response to PhoneBoy
Jump to solution

No dice! That being said it looks like I can do a any any ANY_Service group drop and pass a rule validation.

However it looks like there isn't an easy to say any service in the service group. I can add range objects for tcp and udp, but it seems like would have to make "other" objects for each IP protocol number.

I guess there is a way to do an inspect rule for a protocol range, just don't know the syntax at the moment.

Sounds pretty kludgy. 

PhoneBoy
Admin
Admin
‎2022-03-22 06:29 PM
In response to John_Fleming
Jump to solution

Why not just do ip_p >= 1?
That should cover TCP, UDP, and pretty much anything else for that matter.

0 Kudos
John_Fleming
Advisor
‎2022-03-23 10:30 AM
In response to PhoneBoy
Jump to solution

yeah, I was looking at ip filter examples and thought that was a function that required a protocol number, but not so much. 

I ended up doing ip_p >= 0

And it works fine. I can deploy a drop any any Any_Protocol rule in the middle of global policy now.

One downside is everything dropped is listed as Any_Protocol (protocol/service) but I can live with that I think.

0 Kudos

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

View All ≫
Upcoming Events

    Sort by:
    CheckMates Events