This website uses Cookies. Click Accept to agree to our website's cookie use as described in our Privacy Policy. Click Preferences to customize your cookie settings.
Accept
Reject
Preferences
ABOUT CHECKMATES & FAQ
Create a Post
Help
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

Are you a member of CheckMates?

×
Sign in with your Check Point UserCenter/PartnerMap account to access more great content and get a chance to win some Apple AirPods! If you don't have an account, create one now for free!
Simon_Macpherso
Advisor
‎2023-09-10 04:28 PM

Security Gateway accepts HTTP/HTTPS traffic by implied rule for HTTP/HTTPS Web Portals

Hello,

Re sk180808, can someone please confirm the following

https://support.checkpoint.com/results/sk/sk180808

We have specific http and https traffic e.g. SSL VPN traffic, destined to external gateway IPs that needs to be allowed.

With option 1 configured, will this traffic be caught by an implied rule before hitting the last explicit rule (the last explicit rule in the rule-base is a clean up rule)? Or do I need to define an explicit allow rule for this traffic before the explicit clean up rule?

Regards,

Simon

0 Kudos
8 Replies
PhoneBoy
Admin
Admin
‎2023-09-11 11:23 AM

The implied rules are what allow the traffic to TCP 80/443 in the first place.
This option changes when those rules apply (either before the Access Policy or before the last explicitly configured rule).
If you set this option to 1 and don't have a rule that blocks the traffic, the implied rule should still function. 

Simon_Macpherso
Advisor
‎2023-09-11 04:50 PM
In response to PhoneBoy

Correct.

Also TAC confirmed this option is only related to multi-portal traffic.

So if option 1 is enabled, malicious http/https traffic sourced from an external source IP destined to a gateway external IP portal URL will be dropped by explicit drop rules, all other http/https multi-portal traffic will be allowed by implied rule, before the last explicit drop rule (explicit cleanup).

My other concern is still allowing SSL VPN traffic whereby the user is connecting using a client (not multi-portal traffic), but dropping malicious connections to gateway external IPs on http/https that are currently being accepted by implied rule.

Is SSL VPN traffic whereby the user is connecting using a client caught by a different implied rule, in which case it should be unaffected? This SSL VPN client traffic is https, though TAC mentioned this could also be port 4500 which I've never seen (port 4500 generally used NAT traversal in IPSEC VPN). 

Or is this traffic not caught by a separate implied rule, and I will need to ensure I explicitly allow this traffic?

0 Kudos
the_rock
Legend
Legend
‎2023-09-11 05:42 PM
In response to Simon_Macpherso

I will let @PhoneBoy confirm 100%, but I believe that option is only related to 80/443 ports, not anything else...but, I could be mistaken.

Andy

0 Kudos
PhoneBoy
Admin
Admin
‎2023-09-12 08:39 AM
In response to Simon_Macpherso

Unless you’re running it on a different port, SSL VPN traffic also goes through MultiPortal.
Which means you would need explicit rules to allow this traffic.

0 Kudos
Simon_Macpherso
Advisor
‎2023-09-12 04:34 PM
In response to PhoneBoy

Including SSL VPN traffic where the user is connecting from a client?  

0 Kudos
PhoneBoy
Admin
Admin
‎2023-09-13 09:12 AM
In response to Simon_Macpherso

Pretty sure any traffic destined to the gateway on port 443 will involve MultiPortal on some level.
That would include SSL VPN traffic.

0 Kudos
the_rock
Legend
Legend
‎2023-10-17 06:16 AM
In response to PhoneBoy

Hey, sorry to respond late to this, but just wondering...since customer is on R81.20 take 24, is rule enough to just block http access to the cluster, without modifying value listed in the sk?

 

Variable Value Security Gateway Behavior

0

 The Security Gateway / Cluster Member enforces the applicable implied rules for the Multi-Portal traffic before the explicit "Drop" rules (the "Before Drop" position).
This is the default.
1 The Security Gateway / Cluster Member enforces the applicable implied rules for the Multi-Portal traffic before the last explicit rule (the "Before Last" position).

Cheers.

0 Kudos
PhoneBoy
Admin
Admin
‎2023-10-17 07:46 AM
In response to the_rock

This feature was added to R81.20 via JHF but is OFF by default.
It must be explicitly configured per the SK.

0 Kudos

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

View All ≫
Upcoming Events

    CheckMates Events