This website uses Cookies. Click Accept to agree to our website's cookie use as described in our Privacy Policy. Click Preferences to customize your cookie settings.
Accept
Reject
Preferences
ABOUT CHECKMATES CYBER SECURITY COMMUNITY & FAQ
Create a Post
Help
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

Are you a member of CheckMates?

×
Sign in with your Check Point UserCenter/PartnerMap account to access more great content and get a chance to win some Apple AirPods! If you don't have an account, create one now for free!
boom247
Contributor
‎2024-02-07 03:01 AM
Jump to solution

Policy verification R81.10 take 110

Hi Checkmates

 

Today, we encountered an unexpected issue with our firewall policy deployment on R81.10. Despite undergoing rules verification, the policy was installed with an "any src, any dst, any port, action drop and do not log" rule. This oversight raises concerns about the effectiveness of the policy verification process specifically on R81.10.

Upon further testing, we found that policy verification functions correctly on other versions such as R80.40 and R81.20. However, this discrepancy on R81.10 is troubling, as it allowed traffic to be blocked below rule 142 without proper logging.

 

Please point me to the right direction

0 Kudos
2 Solutions

Accepted Solutions
Tal_Paz-Fridman
MVP Silver CHKP MVP Silver CHKP
MVP Silver CHKP
‎2024-02-07 09:43 AM
In response to boom247
Jump to solution

Hi - this is the default behavior for improved performance. 

You can change it using the instructions in sk161574

https://support.checkpoint.com/results/sk/sk161574

Policy verification does not alert about rules that hide other rules

View solution in original post

boom247
Contributor
‎2024-02-08 12:01 PM
In response to the_rock
Jump to solution

Hi Legend

 

See the attached. We eventually got TAC involved, the issue seem to be with R81.10 JHF 110. The solution is to upgrade to JHF R81.10 130 as it is able to pickup conflicting rules.

 

On the attached rule 175 conflicts with the default cleanup rule and the verify policy is successful on R81.10 JHF 110, but fails on R81.10 JHF 130 which is what we're expecting.

Thanks everyone for you input.

View solution in original post

Preview file
372 KB
7 Replies
_Val_
Admin
Admin
‎2024-02-07 04:12 AM
Jump to solution

Not sure I understand. Does the policy package you install contain multiple rules? How do you know that installed package only has Any-Any-Drop-No logs rule?

Please provide more details here.

0 Kudos
boom247
Contributor
‎2024-02-07 04:55 AM
In response to _Val_
Jump to solution

To better explain the issue see the attached. Basically the conflicting rules verification function is not working as expected. It doesn't flag conflicting rules like it should. Attached is a snapshot from another sms that is working as expected.

Preview file
230 KB
0 Kudos
Tal_Paz-Fridman
MVP Silver CHKP MVP Silver CHKP
MVP Silver CHKP
‎2024-02-07 09:43 AM
In response to boom247
Jump to solution

Hi - this is the default behavior for improved performance. 

You can change it using the instructions in sk161574

https://support.checkpoint.com/results/sk/sk161574

Policy verification does not alert about rules that hide other rules

the_rock
MVP Diamond
MVP Diamond
‎2024-02-07 09:44 AM
In response to Tal_Paz-Fridman
Jump to solution

Good to know, I was not aware.

Thanks Tal.

Andy

Best,
Andy
0 Kudos
the_rock
MVP Diamond
MVP Diamond
‎2024-02-07 09:38 AM
Jump to solution

Can you attach whatever is relevant from the server where this is not working? Please blur out any sensitive info.

Andy

Best,
Andy
0 Kudos
boom247
Contributor
‎2024-02-08 12:01 PM
In response to the_rock
Jump to solution

Hi Legend

 

See the attached. We eventually got TAC involved, the issue seem to be with R81.10 JHF 110. The solution is to upgrade to JHF R81.10 130 as it is able to pickup conflicting rules.

 

On the attached rule 175 conflicts with the default cleanup rule and the verify policy is successful on R81.10 JHF 110, but fails on R81.10 JHF 130 which is what we're expecting.

Thanks everyone for you input.

Preview file
372 KB
the_rock
MVP Diamond
MVP Diamond
‎2024-02-08 12:12 PM
In response to boom247
Jump to solution

Thats good to know.

Best,

Andy

Best,
Andy
0 Kudos

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

View All ≫
Upcoming Events

    CheckMates Events