This website uses Cookies. Click Accept to agree to our website's cookie use as described in our Privacy Policy. Click Preferences to customize your cookie settings.
Accept
Reject
Preferences
ABOUT CHECKMATES CYBER SECURITY COMMUNITY & FAQ
Create a Post
Help
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

Are you a member of CheckMates?

×
Sign in with your Check Point UserCenter/PartnerMap account to access more great content and get a chance to win some Apple AirPods! If you don't have an account, create one now for free!
Nüüül
Advisor
Advisor
‎2023-08-07 04:35 AM

Ordered Layers - Logging shows wrong Access Rule/Layer

Hi,

 

while testing ordered layers for a customer, i ran over a behaviour i cannot explain to myself - perhaps someone else can (?):

at top layer:

Accept communication "any to any with any service" but "tracking: none"

(cleanup rule of a small policy to block traffic from/to defined ips)

subordinated layer:

communication is allowed with tracking enabled (log)

 

my understanding is now, that in logs i get rulename and number of the access rule hit at the subordinated layer.. instead i get the cleanup allow rule of the top layer with tracking set to "none"

2023-08-07_12-59-14.png

Looking into SmartTracker no informations regarding the matched rule is being given

2023-08-07_13-31-33.png

Setup:

Virtual Management Server, virtual Check Point Gateway (GAiA) and physical smb device. all updated to las recent versions. behaviour can be seen with logs of both gateways

 

Someone has an idea what is wrong? or is this kind of an expected behaviour?

0 Kudos
8 Replies
_Val_
Admin
Admin
‎2023-08-07 04:38 AM

It says "cleanup rule", and I assume, it is a clean-up rule of your sublayer. How does that sublayer look?

0 Kudos
Nüüül
Advisor
Advisor
‎2023-08-07 04:42 AM
In response to _Val_

Hi Val,

 

"Cleanup rule" of first ordered layer is set to Accept Any any Tracking: none

2023-08-07_13-40-29.png

("Cleanup Rule of "lyr_block")

There are two layers in this policy package

2023-08-07_13-43-45.png

subordinated layer is meaning the "normal" policy rule set (pol_xyz) - where the communication is allowed (or not) with Tracking set to "log"

 for instance https://community.checkpoint.com/t5/image/serverpage/image-id/21986i7BAB34C1DF1DF157/image-size/medi...

 

 

 

0 Kudos
_Val_
Admin
Admin
‎2023-08-07 05:23 AM
In response to Nüüül

Hmm, this is a bit odd. Do I see correctly that you have two network policy layers in this security policy package? Why is that?

0 Kudos
Nüüül
Advisor
Advisor
‎2023-08-07 05:30 AM
In response to _Val_

this is to address a requirement in being able to rapidly block communication to/from several networks if needed. if used in the same network policy layer you would run into policy verification errors, because those objects are used somewhere else in the policy. resolving these errors is not possible within the term "rapid"

Using an inline layer would workaround the policy verification error too, but is not possible here for now. so i went towards ordered layers

 

0 Kudos
Scott_Paisley
Advisor
‎2023-08-09 03:25 AM
In response to Nüüül

I observed exactly this behaviour with the same layered policy approach for the same reason (block unwanted traffic) and opened a support ticket.

Support have advised this is expected behaviour, although I think it is a bug.

If you select the rule in the lower layer that the traffic hits and look at 'logs' at the bottom of the console window, it shows the traffic as hitting the rule on the upper layer. The 'logs' view in smartconsole has a predefined filter which is supposed to match 'current rule' but in this scenario it matches a different rule in a different layer...

 

EDIT: I forgot to add, the reason we decided to use a layered policy is that is how Playblocks are implemented, so if they display the same behaviour that will be a problem

0 Kudos
Scott_Paisley
Advisor
‎2023-08-09 03:48 AM
In response to Scott_Paisley

I think the behaviour may be different in R81.20 also

0 Kudos
Nüüül
Advisor
Advisor
‎2023-08-09 03:56 AM
In response to Scott_Paisley

Hi Scott,

i am afraid not - i am on 81.20

an additional layer is also added, when using IOT Protect... 

nevertheless, if with or without it (IOT Protect / PlayBlocks), the behaviour is the same - logging shows the wrong rule. (which has logging disabled)

0 Kudos
Nüüül
Advisor
Advisor
‎2023-08-10 11:38 PM

...when deleting the cleanup rule (policy is set to implicit accept), the only thing that changed is, logs are now shown with "implicit cleanup" as matched rule. 

SmartTracker does not show a matched rule, so SmartLog inserts the first matching rule for a communication? Someone knows a possibility, so SmartLog adds the "last matching" rule instead of "first"? 

0 Kudos

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

View All ≫
Upcoming Events

    CheckMates Events