This website uses cookies. By clicking Accept, you consent to the use of cookies. Click Here to learn more about how we use cookies.
Accept
Reject
ABOUT CHECKMATES & FAQ
Create a Post
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Help

Are you a member of CheckMates?

×
Sign in with your Check Point UserCenter/PartnerMap account to access more great content and get a chance to win some Apple AirPods! If you don't have an account, create one now for free!
John_Fleming
Advisor
‎2022-03-21 09:25 PM

Disable verification of clean up rule - MDM - Global rules

Jump to solution

Is there a way to disable verification of a clean up rule?

I would like to have a way to have a global "OMG" policy that is super limited in access that I could apply to a CMA. The idea is this global policy is all pre rules (meaning they apply above local policy not below) that say allow x y z and then drop everything else (clean up rule here). This way everything in local policy is dropped as well.

When i go into OMG mode we reassign and deploy. When we're done with OMG mode we apply old global policy and local policy kicks back in.

Maybe there is a better way to think of it, but I'm pretty gassed at the moment. BTW none of the gateways in question are above R77.30.

0 Kudos
1 Solution

Accepted Solutions
PhoneBoy
Admin
Admin
‎2022-03-22 06:29 PM
In response to John_Fleming

Jump to solution

Why not just do ip_p >= 1?
That should cover TCP, UDP, and pretty much anything else for that matter.

View solution in original post

0 Kudos
5 Replies
PhoneBoy
Admin
Admin
‎2022-03-21 09:43 PM

Jump to solution

Maybe use All_Internet instead of Any in the global rule?

John_Fleming
Advisor
‎2022-03-21 09:50 PM
In response to PhoneBoy

Jump to solution

I'll try that tomorrow!

Dang it.. its already tomorrow. I'll try that later today.

John_Fleming
Advisor
‎2022-03-22 07:55 AM
In response to PhoneBoy

Jump to solution

No dice! That being said it looks like I can do a any any ANY_Service group drop and pass a rule validation.

However it looks like there isn't an easy to say any service in the service group. I can add range objects for tcp and udp, but it seems like would have to make "other" objects for each IP protocol number.

I guess there is a way to do an inspect rule for a protocol range, just don't know the syntax at the moment.

Sounds pretty kludgy. 

PhoneBoy
Admin
Admin
‎2022-03-22 06:29 PM
In response to John_Fleming

Jump to solution

Why not just do ip_p >= 1?
That should cover TCP, UDP, and pretty much anything else for that matter.

0 Kudos
John_Fleming
Advisor
‎2022-03-23 10:30 AM
In response to PhoneBoy

Jump to solution

yeah, I was looking at ip filter examples and thought that was a function that required a protocol number, but not so much. 

I ended up doing ip_p >= 0

And it works fine. I can deploy a drop any any Any_Protocol rule in the middle of global policy now.

One downside is everything dropped is listed as Any_Protocol (protocol/service) but I can live with that I think.

0 Kudos