This website uses Cookies. Click Accept to agree to our website's cookie use as described in our Privacy Policy. Click Preferences to customize your cookie settings.
Accept
Reject
Preferences
ABOUT CHECKMATES CYBER SECURITY COMMUNITY & FAQ
Create a Post
Help
cancel
Turn on suggestions
Showing results for 
Search instead for 
Did you mean: 

Are you a member of CheckMates?

×
Sign in with your Check Point UserCenter/PartnerMap account to access more great content and get a chance to win some Apple AirPods! If you don't have an account, create one now for free!
boom247
Contributor
‎2024-02-07 03:01 AM
Jump to solution

Policy verification R81.10 take 110

Hi Checkmates

 

Today, we encountered an unexpected issue with our firewall policy deployment on R81.10. Despite undergoing rules verification, the policy was installed with an "any src, any dst, any port, action drop and do not log" rule. This oversight raises concerns about the effectiveness of the policy verification process specifically on R81.10.

Upon further testing, we found that policy verification functions correctly on other versions such as R80.40 and R81.20. However, this discrepancy on R81.10 is troubling, as it allowed traffic to be blocked below rule 142 without proper logging.

 

Please point me to the right direction

0 Kudos
2 Solutions

Accepted Solutions
Tal_Paz-Fridman
Employee
Employee
‎2024-02-07 09:43 AM
In response to boom247
Jump to solution

Hi - this is the default behavior for improved performance. 

You can change it using the instructions in sk161574

https://support.checkpoint.com/results/sk/sk161574

Policy verification does not alert about rules that hide other rules

View solution in original post

boom247
Contributor
‎2024-02-08 12:01 PM
In response to the_rock
Jump to solution

Hi Legend

 

See the attached. We eventually got TAC involved, the issue seem to be with R81.10 JHF 110. The solution is to upgrade to JHF R81.10 130 as it is able to pickup conflicting rules.

 

On the attached rule 175 conflicts with the default cleanup rule and the verify policy is successful on R81.10 JHF 110, but fails on R81.10 JHF 130 which is what we're expecting.

Thanks everyone for you input.

View solution in original post

Modified.png
Preview file
372 KB
7 Replies
_Val_
Admin
Admin
‎2024-02-07 04:12 AM
Jump to solution

Not sure I understand. Does the policy package you install contain multiple rules? How do you know that installed package only has Any-Any-Drop-No logs rule?

Please provide more details here.

0 Kudos
boom247
Contributor
‎2024-02-07 04:55 AM
In response to _Val_
Jump to solution

To better explain the issue see the attached. Basically the conflicting rules verification function is not working as expected. It doesn't flag conflicting rules like it should. Attached is a snapshot from another sms that is working as expected.

Conflicting rules.png
Preview file
230 KB
0 Kudos
Tal_Paz-Fridman
Employee
Employee
‎2024-02-07 09:43 AM
In response to boom247
Jump to solution

Hi - this is the default behavior for improved performance. 

You can change it using the instructions in sk161574

https://support.checkpoint.com/results/sk/sk161574

Policy verification does not alert about rules that hide other rules

the_rock
Legend
Legend
‎2024-02-07 09:44 AM
In response to Tal_Paz-Fridman
Jump to solution

Good to know, I was not aware.

Thanks Tal.

Andy

0 Kudos
the_rock
Legend
Legend
‎2024-02-07 09:38 AM
Jump to solution

Can you attach whatever is relevant from the server where this is not working? Please blur out any sensitive info.

Andy

0 Kudos
boom247
Contributor
‎2024-02-08 12:01 PM
In response to the_rock
Jump to solution

Hi Legend

 

See the attached. We eventually got TAC involved, the issue seem to be with R81.10 JHF 110. The solution is to upgrade to JHF R81.10 130 as it is able to pickup conflicting rules.

 

On the attached rule 175 conflicts with the default cleanup rule and the verify policy is successful on R81.10 JHF 110, but fails on R81.10 JHF 130 which is what we're expecting.

Thanks everyone for you input.

Modified.png
Preview file
372 KB
the_rock
Legend
Legend
‎2024-02-08 12:12 PM
In response to boom247
Jump to solution

Thats good to know.

Best,

Andy

0 Kudos

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

View All ≫
Upcoming Events

    Sort by:
    CheckMates Events
    Top