Create a Post
cancel
Showing results for 
Search instead for 
Did you mean: 
boom247
Contributor
Jump to solution

Policy verification R81.10 take 110

Hi Checkmates

 

Today, we encountered an unexpected issue with our firewall policy deployment on R81.10. Despite undergoing rules verification, the policy was installed with an "any src, any dst, any port, action drop and do not log" rule. This oversight raises concerns about the effectiveness of the policy verification process specifically on R81.10.

Upon further testing, we found that policy verification functions correctly on other versions such as R80.40 and R81.20. However, this discrepancy on R81.10 is troubling, as it allowed traffic to be blocked below rule 142 without proper logging.

 

Please point me to the right direction

0 Kudos
2 Solutions

Accepted Solutions
Tal_Paz-Fridman
Employee
Employee

Hi - this is the default behavior for improved performance. 

You can change it using the instructions in sk161574

https://support.checkpoint.com/results/sk/sk161574

Policy verification does not alert about rules that hide other rules

View solution in original post

boom247
Contributor

Hi Legend

 

See the attached. We eventually got TAC involved, the issue seem to be with R81.10 JHF 110. The solution is to upgrade to JHF R81.10 130 as it is able to pickup conflicting rules.

 

On the attached rule 175 conflicts with the default cleanup rule and the verify policy is successful on R81.10 JHF 110, but fails on R81.10 JHF 130 which is what we're expecting.

Thanks everyone for you input.

View solution in original post

7 Replies
_Val_
Admin
Admin

Not sure I understand. Does the policy package you install contain multiple rules? How do you know that installed package only has Any-Any-Drop-No logs rule?

Please provide more details here.

0 Kudos
boom247
Contributor

To better explain the issue see the attached. Basically the conflicting rules verification function is not working as expected. It doesn't flag conflicting rules like it should. Attached is a snapshot from another sms that is working as expected.

0 Kudos
Tal_Paz-Fridman
Employee
Employee

Hi - this is the default behavior for improved performance. 

You can change it using the instructions in sk161574

https://support.checkpoint.com/results/sk/sk161574

Policy verification does not alert about rules that hide other rules

the_rock
Legend
Legend

Good to know, I was not aware.

Thanks Tal.

Andy

0 Kudos
the_rock
Legend
Legend

Can you attach whatever is relevant from the server where this is not working? Please blur out any sensitive info.

Andy

0 Kudos
boom247
Contributor

Hi Legend

 

See the attached. We eventually got TAC involved, the issue seem to be with R81.10 JHF 110. The solution is to upgrade to JHF R81.10 130 as it is able to pickup conflicting rules.

 

On the attached rule 175 conflicts with the default cleanup rule and the verify policy is successful on R81.10 JHF 110, but fails on R81.10 JHF 130 which is what we're expecting.

Thanks everyone for you input.

the_rock
Legend
Legend

Thats good to know.

Best,

Andy

0 Kudos

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

Upcoming Events

    CheckMates Events