Create a Post
cancel
Showing results for 
Search instead for 
Did you mean: 
Nikunj
Contributor

Quarantine / UnQuarantine Policy for hosts

Is there any default quarantine(block all incoming/outgoing traffic for the host) policy present in the checkpoint? or should i need to manually create two rules 1st to block incoming traffic and 2nd to block outgoing traffic? 

0 Kudos
13 Replies
PhoneBoy
Admin
Admin

Are you talking about this in the context of Remote Access or something else?
A screenshot would probably be helpful.

Nikunj
Contributor

@PhoneBoy 
Quarantine / Unquarantine is in terms of network access to limit or deny endpoint access to the network.

0 Kudos
PhoneBoy
Admin
Admin

Via Remote Access or when connected to the LAN?

0 Kudos
Nikunj
Contributor

When connected to the LAN

0 Kudos
PhoneBoy
Admin
Admin

The firewall generally operates on an "implicit deny."
Meaning: that which is not expressly permitted by the access policy is denied by default.
So unless you have explicit rules allowing a given host to traverse the gateway, it won't.

Obviously that won't work for stuff that doesn't traverse the gateway.
We have a firewall that can also live on the endpoint (as part of Harmony Endpoint), which with Endpoint Compliance can restrict the client from connecting to anything on the local LAN as well.
However, that's not related to the gateway at all.

0 Kudos
Nikunj
Contributor

You mean in the firewall by default all the connected device block by default? I want quarantine/unquarantine flow similar to what cisco and fortigate do with endpoint.

0 Kudos
PhoneBoy
Admin
Admin

Like I said: nothing is allowed through the gateway unless there's an explicit rule allowing it.
However, if you're talking about the Endpoint, we do have a Host Isolation feature as part of Harmony Endpoint.
See: https://supportcenter.checkpoint.com/supportcenter/portal?eventSubmit_doGoviewsolutiondetails=&solut...
And: https://supportcenter.checkpoint.com/supportcenter/portal?eventSubmit_doGoviewsolutiondetails=&solut... 

 

0 Kudos
Benedikt_Weissl
Advisor

Every traffic that is not allowed by explicit rules (i.e. rules you've created) or implied rules ( show via security policies in smart dashboard -> actions -> implied rules) will be dropped

Sigbjorn
Advisor

If you're talking about a quick way to block suspicious traffic during an ongoing event/investigation the recommended approach is the Suspicious Activity Monitor features. It's not a gui policy, but simple cli way to block the traffic for a given time.

Read more about it in the documentation:

https://sc1.checkpoint.com/documents/R81/WebAdminGuides/EN/CP_R81_LoggingAndMonitoring_AdminGuide/To...

https://sc1.checkpoint.com/documents/R81/WebAdminGuides/EN/CP_R81_CLI_ReferenceGuide/Topics-CLIG/FWG...

 

If you're looking at permanently blocking the traffic, inbound and outbound, an easy way would be to create two drop rules at the top of the policy, and then create a network group that you stick in source on one rule and destination on the other.
Any objects in that group would then be blocked, and the group can easily by updated by API's or manually.

Nikunj
Contributor

do i need to install the policy every time after updating the network group?

0 Kudos
PhoneBoy
Admin
Admin

Any updates to the access policy (including objects in existing rules) require a policy install.
There are certain object types that do not require a policy install to update (Dynamic Objects, Generic Data Center Objects, Access Roles).

Sigbjorn
Advisor

Yea, like Dameon said, changes to policy will in most cases require installation. You can automate this and trigger it with the API's though.

Or you could use dynamic objects and update those instead.

The approach with SAM doesn't require a policy installation either.

the_rock
Mentor
Mentor

It really depends on the scenario itself...if its just regular traffic, then you might need 2 rules, but if you are referring to say multiple specific  hosts/networks, then you can define them same in both source and destination and then action block.

0 Kudos