Create a Post
cancel
Showing results for 
Search instead for 
Did you mean: 
Christoph
Collaborator

Internet Object ignoring host with presumed network address

Hello,

stumbled about this today.

There is a layer (match on src), with the following rule:

src: internal_network dst: Internet (The Application Control one) service:any action:allow

Android device connects to time.google.com

 

 

time.google.com.        2941    IN      A       216.239.35.0
time.google.com.        2941    IN      A       216.239.35.4
time.google.com.        2941    IN      A       216.239.35.12
time.google.com.        2941    IN      A       216.239.35.8

 

 


216.239.35.4; 216.239.35.12M; 216.239.35.8 match the rule 216.239.35.0 gets ignored and goes into the cleanup rule.

The All_internet (0.0.0.0 - 255.255.255.255) matches 216.239.35.0

System is running R81.20 JFHA 24. Anyone has seen such a behavior. Bug or feature?  This feels like a bug.

0 Kudos
9 Replies
Chris_Atkinson
MVP Gold CHKP MVP Gold CHKP
MVP Gold CHKP

What is the source IP address, are you able to share a screenshot of the redacted log card?

CCSM R77/R80/ELITE
0 Kudos
Christoph
Collaborator

Source address is 192.168.118.0/23 (and multiple other networks) in a group.

I will attach one log with a working connection (layer 421.11) and the one that went into the cleanup (layer 421.12). In addition you will find the quite simplistic rule.

As said before, I got hits for all time.google.com IPs, except the one with the .0.

 

DropDropAllowAllowRuleRule

0 Kudos
Christoph
Collaborator

Tried this on a totally different firewall, also R81.20. Same result.

 

13-02-2024_12-26-3.png

0 Kudos
Chris_Atkinson
MVP Gold CHKP MVP Gold CHKP
MVP Gold CHKP

Thanks the issue is clearer, if you have already opened an SR with TAC could you please share it via DM?

CCSM R77/R80/ELITE
0 Kudos
Christoph
Collaborator

I haven't opened an SR yet, but will probably do so and keep you posted.

0 Kudos
_Val_
Admin
Admin

Internet object is not all the IP addresses but those that do not belong to the GW's internal networks. Also, the address ending with 0 is a network address, not an Internet IP address, according to RFC.

I agree with you, Google uses it as a host address, but it does not make it less wrong 🙂 Is it critical for you that connectivity to that address should be allowed? If yes, you can change Internet object to Any, that should do the trick, I hope.

0 Kudos
Christoph
Collaborator

Hello Val,


@_Val_ wrote:

... Also, the address ending with 0 is a network address, not an Internet IP address, according to RFC.


I would be very happy to see this RFC.
Assuming your statement is correct, what are the IPs of the network 192.168.1.0/31 or 192.168.1.254/31

Classful networking is dead for decades:)

0 Kudos
_Val_
Admin
Admin

Your argument is not wrong. Considering you definitely can define a host object ending with .0, I would suggest you open a TAC request. There might be a bug in Internet object that misses .0 addresses.

 

the_rock
MVP Gold
MVP Gold

I think this is common mistake people make, I did it many times as well. So, Internet in this context would only represent EXTERNAL world, while any includes both internal AND external.

Andy

0 Kudos

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

Upcoming Events

    CheckMates Events