This website uses Cookies. Click Accept to agree to our website's cookie use as described in our Privacy Policy. Click Preferences to customize your cookie settings.
Accept
Reject
Preferences
ABOUT CHECKMATES CYBER SECURITY COMMUNITY & FAQ
Create a Post
Help
cancel
Turn on suggestions
Showing results for 
Search instead for 
Did you mean: 

Are you a member of CheckMates?

×
Sign in with your Check Point UserCenter/PartnerMap account to access more great content and get a chance to win some Apple AirPods! If you don't have an account, create one now for free!
Nikunj
Contributor
‎2021-06-24 06:20 AM

Quarantine / UnQuarantine Policy for hosts

Is there any default quarantine(block all incoming/outgoing traffic for the host) policy present in the checkpoint? or should i need to manually create two rules 1st to block incoming traffic and 2nd to block outgoing traffic? 

13 Replies
PhoneBoy
Admin
Admin
‎2021-06-24 08:27 AM

Are you talking about this in the context of Remote Access or something else?
A screenshot would probably be helpful.

Nikunj
Contributor
‎2021-06-24 09:34 PM
In response to PhoneBoy

@PhoneBoy 
Quarantine / Unquarantine is in terms of network access to limit or deny endpoint access to the network.

0 Kudos
PhoneBoy
Admin
Admin
‎2021-06-24 10:32 PM
In response to Nikunj

Via Remote Access or when connected to the LAN?

0 Kudos
Nikunj
Contributor
‎2021-06-24 10:43 PM
In response to PhoneBoy

When connected to the LAN

0 Kudos
PhoneBoy
Admin
Admin
‎2021-06-25 02:58 PM
In response to Nikunj

The firewall generally operates on an "implicit deny."
Meaning: that which is not expressly permitted by the access policy is denied by default.
So unless you have explicit rules allowing a given host to traverse the gateway, it won't.

Obviously that won't work for stuff that doesn't traverse the gateway.
We have a firewall that can also live on the endpoint (as part of Harmony Endpoint), which with Endpoint Compliance can restrict the client from connecting to anything on the local LAN as well.
However, that's not related to the gateway at all.

0 Kudos
Nikunj
Contributor
‎2021-06-27 11:06 PM
In response to PhoneBoy

You mean in the firewall by default all the connected device block by default? I want quarantine/unquarantine flow similar to what cisco and fortigate do with endpoint.

0 Kudos
PhoneBoy
Admin
Admin
‎2021-06-28 12:59 PM
In response to Nikunj

Like I said: nothing is allowed through the gateway unless there's an explicit rule allowing it.
However, if you're talking about the Endpoint, we do have a Host Isolation feature as part of Harmony Endpoint.
See: https://supportcenter.checkpoint.com/supportcenter/portal?eventSubmit_doGoviewsolutiondetails=&solut...
And: https://supportcenter.checkpoint.com/supportcenter/portal?eventSubmit_doGoviewsolutiondetails=&solut... 

 

0 Kudos
Benedikt_Weissl
Advisor
‎2021-06-24 08:44 AM

Every traffic that is not allowed by explicit rules (i.e. rules you've created) or implied rules ( show via security policies in smart dashboard -> actions -> implied rules) will be dropped

Sigbjorn
Advisor
Advisor
‎2021-06-24 10:19 PM

If you're talking about a quick way to block suspicious traffic during an ongoing event/investigation the recommended approach is the Suspicious Activity Monitor features. It's not a gui policy, but simple cli way to block the traffic for a given time.

Read more about it in the documentation:

https://sc1.checkpoint.com/documents/R81/WebAdminGuides/EN/CP_R81_LoggingAndMonitoring_AdminGuide/To...

https://sc1.checkpoint.com/documents/R81/WebAdminGuides/EN/CP_R81_CLI_ReferenceGuide/Topics-CLIG/FWG...

 

If you're looking at permanently blocking the traffic, inbound and outbound, an easy way would be to create two drop rules at the top of the policy, and then create a network group that you stick in source on one rule and destination on the other.
Any objects in that group would then be blocked, and the group can easily by updated by API's or manually.

Nikunj
Contributor
‎2021-06-30 07:18 AM
In response to Sigbjorn

do i need to install the policy every time after updating the network group?

0 Kudos
PhoneBoy
Admin
Admin
‎2021-06-30 12:16 PM
In response to Nikunj

Any updates to the access policy (including objects in existing rules) require a policy install.
There are certain object types that do not require a policy install to update (Dynamic Objects, Generic Data Center Objects, Access Roles).

Sigbjorn
Advisor
Advisor
‎2021-06-30 10:10 PM
In response to Nikunj

Yea, like Dameon said, changes to policy will in most cases require installation. You can automate this and trigger it with the API's though.

Or you could use dynamic objects and update those instead.

The approach with SAM doesn't require a policy installation either.

the_rock
Legend
Legend
‎2021-06-25 06:25 PM

It really depends on the scenario itself...if its just regular traffic, then you might need 2 rules, but if you are referring to say multiple specific  hosts/networks, then you can define them same in both source and destination and then action block.

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

View All ≫
Upcoming Events

    Sort by:
    CheckMates Events
    Top