This website uses Cookies. Click Accept to agree to our website's cookie use as described in our Privacy Policy. Click Preferences to customize your cookie settings.
Accept
Reject
Preferences
ABOUT CHECKMATES CYBER SECURITY COMMUNITY & FAQ
Create a Post
Help
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

Are you a member of CheckMates?

×
Sign in with your Check Point UserCenter/PartnerMap account to access more great content and get a chance to win some Apple AirPods! If you don't have an account, create one now for free!
Kim_Moberg
Advisor
‎2021-01-15 12:47 PM

Error while using inline layers

Hi CheckMates,

I hope you are able to assist me. I am getting crazy working with inline layers. Therefore I have temporary moved to the classical rules based firewall rules.

Errors I see while using inline layers are shown in the smartevent indexed log.

I have tried to build a fw rule uing inline layers.

id SourceDestinationServices & AppActionTrack
10 OOB-NETWORKOOB-NETWORKanyOOB-internaln/a
10.1 anyAAA-Servers[AAA-Services]ALLOWLOG
10.2 anyayanyDROPLOG
11 ANYOOB-NETWORKanyOOB-incomingn/a
11.1 anyAAA-Server

RDP

ICMP-REQUEST

ALLOWLOG
12 OOB-NETWORLanyanyOOB-Outgoingn/a
12.1      
12.2 anyanyanyDROPLOG

 

When I look into SmartEvent logs 

Sometimes I get a hit on the rule base lets say 10.1 but other time it says 2.1.

I cannot figure out why it atually tells me it touches rules 10.1 and second line in the layer it drops on 2.1? Where comes the rule 2.1 because it doesn't exist.

 

I am running VSEC on VM with R81 take 10 and SMS runs R81 Take 10.

Is it a bug when it writes 2.1 or is it me configuring inline layers wrongly?

 

This one error.

inline error.png

This one is okay.

inline okay.png

  Hope you CheckMates can give me some hints were to look. Expect to contact TAC next week but maybe you guys have an idea of what is going on.

 

Best Regards
Kim
2 Replies
PhoneBoy
Admin
Admin
‎2021-01-15 08:09 PM

I’ve seen this happen before and I don’t think it’s a wrong configuration.
What I’m curious about (and maybe @Dan_Zada or others know) is whether the rule number is “calculated” when shown or stored with the log. 
A TAC case is definitely in order.

Kim_Moberg
Advisor
‎2021-01-17 06:03 AM
In response to PhoneBoy

Hi Dameon 

I have created a TAC case and I have already collected logs and db export and uploaded to TAC so they could play with the rules,

Best Regards
Kim
0 Kudos

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

View All ≫
Upcoming Events

    Sort by:
    CheckMates Events