Create a Post
cancel
Showing results for 
Search instead for 
Did you mean: 
pkroupod
Employee
Employee

Implied Rules

Let's talk about implied rules, and let's focus specifically on policy installation traffic which happens over port 18191. Let's look at the following diagram that I have attached.

Once I establish SIC with NY cluster, it will create multiple implied rules, one of them will say allow traffic over port 18191 from 10.0.0.100 (my management server) to the cluster (though please confirm if the implied rules get created after establishing SIC). 

So what I want to know is this: once I establish SIC with PhilK-Center-GW, will the management server update the implied rules on the NY-Cluster, saying to allow traffic over port 18191 from 10.0.0.100 to 200.0.1.5? This can be easily confirmed by looking at the source code, but I hope there's somebody that knows this well. 

Note: the gateways have the same policy, and it does not include any rules for port 18191. I am able to install policy to all gateways, so I want to know what happens behind the scenes.

I politely ask you to be clear, descriptive and concise with your answers please.

network.PNG

0 Kudos
Reply
4 Replies
PhoneBoy
Admin
Admin

Implied rules are calculated as part of the policy installation process.
It would make sense that, in the case of TCP port 18191 from the management IP in particular, this would be allowed to ANY destination for the purposes of installing policy.
This would facilitate the exact situation you describe (managing a gateway with other gateways you manage in the path).

0 Kudos
Reply
pkroupod
Employee
Employee

Hi PhoneBoy,

I see there's a way in SmartConsole to view implied rules. It's weird that it's within the access control policy section since I thought it was per gateway (and per any other device managed by a management server). Also, in the implied rules table I see for CPD there is an object called IPS-1 Sensor, what is that object?

0 Kudos
Reply
PhoneBoy
Admin
Admin

Many of the implied rules are generic enough to apply to all managed gateways.
The visualization of those rules as part of the Access Policy made a lot more sense when there was only effectively one rulebase layer.

IPS-1 Sensor refers to a standalone IPS product that was formerly the NFR Security Sentivist product line.
We acquired NFR Security in 2007 and renamed the product IPS-1.
0 Kudos
Reply
Lari_Luoma
Employee
Employee

Hi!

Implied rules don't have anything to do with SIC. Once you enable "Accept Control Connections" and some other features in Global Properties, the implied rules are created on every policy in the management. They are global and as far as I know there is no way of defining gateway specific implied rules. However, to change the behavior of the implied rules you can modify implied_rules.def-file on the management-server.

See the below SK for details:

https://supportcenter.checkpoint.com/supportcenter/portal?eventSubmit_doGoviewsolutiondetails=&solut...

Also see the below discussion in Check Mates:

https://community.checkpoint.com/t5/Policy-Management/How-are-implied-rules-implemented-with-a-multi...

 

 

 

0 Kudos
Reply