Create a Post
cancel
Showing results for 
Search instead for 
Did you mean: 
Simon_Macpherso
Advisor

Security Gateway accepts HTTP/HTTPS traffic by implied rule for HTTP/HTTPS Web Portals

Hello,

Re sk180808, can someone please confirm the following

https://support.checkpoint.com/results/sk/sk180808

We have specific http and https traffic e.g. SSL VPN traffic, destined to external gateway IPs that needs to be allowed.

With option 1 configured, will this traffic be caught by an implied rule before hitting the last explicit rule (the last explicit rule in the rule-base is a clean up rule)? Or do I need to define an explicit allow rule for this traffic before the explicit clean up rule?

Regards,

Simon

0 Kudos
8 Replies
PhoneBoy
Admin
Admin

The implied rules are what allow the traffic to TCP 80/443 in the first place.
This option changes when those rules apply (either before the Access Policy or before the last explicitly configured rule).
If you set this option to 1 and don't have a rule that blocks the traffic, the implied rule should still function. 

Simon_Macpherso
Advisor

Correct.

Also TAC confirmed this option is only related to multi-portal traffic.

So if option 1 is enabled, malicious http/https traffic sourced from an external source IP destined to a gateway external IP portal URL will be dropped by explicit drop rules, all other http/https multi-portal traffic will be allowed by implied rule, before the last explicit drop rule (explicit cleanup).

My other concern is still allowing SSL VPN traffic whereby the user is connecting using a client (not multi-portal traffic), but dropping malicious connections to gateway external IPs on http/https that are currently being accepted by implied rule.

Is SSL VPN traffic whereby the user is connecting using a client caught by a different implied rule, in which case it should be unaffected? This SSL VPN client traffic is https, though TAC mentioned this could also be port 4500 which I've never seen (port 4500 generally used NAT traversal in IPSEC VPN). 

Or is this traffic not caught by a separate implied rule, and I will need to ensure I explicitly allow this traffic?

0 Kudos
the_rock
Legend
Legend

I will let @PhoneBoy confirm 100%, but I believe that option is only related to 80/443 ports, not anything else...but, I could be mistaken.

Andy

0 Kudos
PhoneBoy
Admin
Admin

Unless you’re running it on a different port, SSL VPN traffic also goes through MultiPortal.
Which means you would need explicit rules to allow this traffic.

0 Kudos
Simon_Macpherso
Advisor

Including SSL VPN traffic where the user is connecting from a client?  

0 Kudos
PhoneBoy
Admin
Admin

Pretty sure any traffic destined to the gateway on port 443 will involve MultiPortal on some level.
That would include SSL VPN traffic.

0 Kudos
the_rock
Legend
Legend

Hey, sorry to respond late to this, but just wondering...since customer is on R81.20 take 24, is rule enough to just block http access to the cluster, without modifying value listed in the sk?

 

Variable Value Security Gateway Behavior

0

The Security Gateway / Cluster Member enforces the applicable implied rules for the Multi-Portal traffic before the explicit "Drop" rules (the "Before Drop" position).
This is the default.
1 The Security Gateway / Cluster Member enforces the applicable implied rules for the Multi-Portal traffic before the last explicit rule (the "Before Last" position).

Cheers.

0 Kudos
PhoneBoy
Admin
Admin

This feature was added to R81.20 via JHF but is OFF by default.
It must be explicitly configured per the SK.

0 Kudos

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

Upcoming Events

    Tue 23 Apr 2024 @ 11:00 AM (EDT)

    East US: What's New in R82

    Thu 25 Apr 2024 @ 11:00 AM (SGT)

    APAC: CPX 2024 Recap

    Tue 30 Apr 2024 @ 03:00 PM (CDT)

    EMEA: CPX 2024 Recap

    Thu 02 May 2024 @ 11:00 AM (SGT)

    APAC: What's new in R82

    Tue 23 Apr 2024 @ 11:00 AM (EDT)

    East US: What's New in R82

    Thu 25 Apr 2024 @ 11:00 AM (SGT)

    APAC: CPX 2024 Recap

    Tue 30 Apr 2024 @ 03:00 PM (CDT)

    EMEA: CPX 2024 Recap

    Thu 02 May 2024 @ 11:00 AM (SGT)

    APAC: What's new in R82
    CheckMates Events