This website uses Cookies. Click Accept to agree to our website's cookie use as described in our Privacy Policy. Click Preferences to customize your cookie settings.
Accept
Reject
Preferences
ABOUT CHECKMATES CYBER SECURITY COMMUNITY & FAQ
Create a Post
Help
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

Are you a member of CheckMates?

×
Sign in with your Check Point UserCenter/PartnerMap account to access more great content and get a chance to win some Apple AirPods! If you don't have an account, create one now for free!
Christoph
Collaborator
‎2024-02-13 02:46 AM

Internet Object ignoring host with presumed network address

Hello,

stumbled about this today.

There is a layer (match on src), with the following rule:

src: internal_network dst: Internet (The Application Control one) service:any action:allow

Android device connects to time.google.com

 

 

time.google.com.        2941    IN      A       216.239.35.0
time.google.com.        2941    IN      A       216.239.35.4
time.google.com.        2941    IN      A       216.239.35.12
time.google.com.        2941    IN      A       216.239.35.8

 

 


216.239.35.4; 216.239.35.12M; 216.239.35.8 match the rule 216.239.35.0 gets ignored and goes into the cleanup rule.

The All_internet (0.0.0.0 - 255.255.255.255) matches 216.239.35.0

System is running R81.20 JFHA 24. Anyone has seen such a behavior. Bug or feature?  This feels like a bug.

0 Kudos
9 Replies
Chris_Atkinson
MVP Gold CHKP MVP Gold CHKP
MVP Gold CHKP
‎2024-02-13 02:55 AM

What is the source IP address, are you able to share a screenshot of the redacted log card?

CCSM R77/R80/ELITE
0 Kudos
Christoph
Collaborator
‎2024-02-13 03:11 AM
In response to Chris_Atkinson

Source address is 192.168.118.0/23 (and multiple other networks) in a group.

I will attach one log with a working connection (layer 421.11) and the one that went into the cleanup (layer 421.12). In addition you will find the quite simplistic rule.

As said before, I got hits for all time.google.com IPs, except the one with the .0.

 

DropDropAllowAllowRuleRule

0 Kudos
Christoph
Collaborator
‎2024-02-13 03:36 AM
In response to Christoph

Tried this on a totally different firewall, also R81.20. Same result.

 

13-02-2024_12-26-3.png

0 Kudos
Chris_Atkinson
MVP Gold CHKP MVP Gold CHKP
MVP Gold CHKP
‎2024-02-13 03:55 AM
In response to Christoph

Thanks the issue is clearer, if you have already opened an SR with TAC could you please share it via DM?

CCSM R77/R80/ELITE
0 Kudos
Christoph
Collaborator
‎2024-02-13 04:48 AM
In response to Chris_Atkinson

I haven't opened an SR yet, but will probably do so and keep you posted.

0 Kudos
_Val_
Admin
Admin
‎2024-02-13 05:59 AM
In response to Christoph

Internet object is not all the IP addresses but those that do not belong to the GW's internal networks. Also, the address ending with 0 is a network address, not an Internet IP address, according to RFC.

I agree with you, Google uses it as a host address, but it does not make it less wrong 🙂 Is it critical for you that connectivity to that address should be allowed? If yes, you can change Internet object to Any, that should do the trick, I hope.

0 Kudos
Christoph
Collaborator
‎2024-02-13 06:53 AM
In response to _Val_

Hello Val,

@_Val_ wrote:

... Also, the address ending with 0 is a network address, not an Internet IP address, according to RFC.

I would be very happy to see this RFC.
Assuming your statement is correct, what are the IPs of the network 192.168.1.0/31 or 192.168.1.254/31

Classful networking is dead for decades:)

0 Kudos
_Val_
Admin
Admin
‎2024-02-14 12:50 AM
In response to Christoph

Your argument is not wrong. Considering you definitely can define a host object ending with .0, I would suggest you open a TAC request. There might be a bug in Internet object that misses .0 addresses.

 

the_rock
MVP Gold
MVP Gold
‎2024-02-13 06:01 AM

I think this is common mistake people make, I did it many times as well. So, Internet in this context would only represent EXTERNAL world, while any includes both internal AND external.

Andy

0 Kudos

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

View All ≫
Upcoming Events

    Sort by:
    CheckMates Events