This website uses Cookies. Click Accept to agree to our website's cookie use as described in our Privacy Policy. Click Preferences to customize your cookie settings.
Accept
Reject
Preferences
ABOUT CHECKMATES CYBER SECURITY COMMUNITY & FAQ
Create a Post
Help
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

Are you a member of CheckMates?

×
Sign in with your Check Point UserCenter/PartnerMap account to access more great content and get a chance to win some Apple AirPods! If you don't have an account, create one now for free!
jtgetzke
Participant
‎2022-02-22 06:16 PM
Jump to solution

Time Object Policy Update

Hello,

I recently learned about the Time object in Security Gateway.  This could be great for our scenarios where temporary access to resources is needed.

I found an article with a basic description of the object here:
https://sc1.checkpoint.com/documents/R81.10/SmartConsole_OLH/EN/Topics-OLH/NZWusyHm6c__hj6NSFa-VQ2.h...

However, I am wondering if there are any downsides to using this object.  For example, when the time expires in my time object, does the SGW publish a session or Install Policy to apply the rule change?  Will the time object interfere with current sessions that are going on in the background at the same time?

Here is a simple Time object that I setup for a temp rule to help me experiment:

TimeObject.png

Hopefully the feature works the way I intend it to and we can use it for more temporary rule scenarios.

 

 

 

0 Kudos
1 Solution

Accepted Solutions
HeikoAnkenbrand
MVP Platinum
MVP Platinum
‎2022-02-22 11:48 PM
Jump to solution

Hi @jtgetzke,


This has no effect on existing sessions. Existing sessions are only terminated after the session timer in the state table has expired. A rule using a time object applies only to connections that begin during the time object's time frame. If the connection extends past that time frame, it is allowed to continue. The relevant time zone is that of the Security Gateway enforcing the rule.

Unless you have activated in the service that the session should not continue when installing the policy. Then this also happens when installing the policy.

Conclusion:
The time settings only apply to new connections.

➜ CCSM Elite, CCME, CCTE ➜ www.checkpoint.tips

View solution in original post

5 Replies
HeikoAnkenbrand
MVP Platinum
MVP Platinum
‎2022-02-22 11:48 PM
Jump to solution

Hi @jtgetzke,


This has no effect on existing sessions. Existing sessions are only terminated after the session timer in the state table has expired. A rule using a time object applies only to connections that begin during the time object's time frame. If the connection extends past that time frame, it is allowed to continue. The relevant time zone is that of the Security Gateway enforcing the rule.

Unless you have activated in the service that the session should not continue when installing the policy. Then this also happens when installing the policy.

Conclusion:
The time settings only apply to new connections.

➜ CCSM Elite, CCME, CCTE ➜ www.checkpoint.tips
jtgetzke
Participant
‎2022-02-23 05:04 AM
In response to HeikoAnkenbrand
Jump to solution

Thanks for the detailed answer.  

0 Kudos
G_W_Albrecht
MVP Silver
MVP Silver
‎2022-02-23 03:54 AM
Jump to solution

sk115134: Persisting connections in connections table after installing a new rule with Time object

CCSP - CCSE / CCTE / CTPS / CCME / CCSM Elite / SMB Specialist
Chris_Atkinson
MVP Platinum CHKP MVP Platinum CHKP
MVP Platinum CHKP
‎2022-02-23 04:47 AM
Jump to solution

Per sk32578 in R80.10 and above there shouldn't be any additional considerations.

CCSM R77/R80/ELITE
jtgetzke
Participant
‎2022-02-25 06:45 PM
Jump to solution

As a follow up to my own experiment, I did notice one downside to the Time object.

The object persists after the temporary rule expires.  If the goal is to create a time object for each temporary rule that pops up you will be stuck having to manage all of those individual time objects at some point.  It seems to me that the time object is best used for scenarios where the temporary portion of the rule is frequently occurring or on a repeating basis. 

For example a rule that disables access to a resource during normal business hours, but afterhours its allowed.  One time object would turn the same rule on and off multiple times and be worth the effort.  Or if you have a frequent travel scenario that you need to enable/disable for geoprotection.  The time object will likely get used again in either of these scenarios for the same rule.  Or another possibility is if you have pressure from someone to specifically turn off a rule afterhours, cool, the time object can do that for you and save you the trouble of logging in until business hours.

But if you have scenarios where the rule is a one time use case and will likely never be used again, its less overhead to just create the rule and then delete it when your done so you don't have to remember to clean up the time object too.  For example an employee traveling to a random foreign country with your geoprotection policy.  Or setting up a temp rule for your developers while they POC a product.  If the POC expires and the rule is no longer needed then you might as well avoid the extra overhead of the time object and setup a reminder for that rule in another way.

0 Kudos

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

View All ≫
Upcoming Events

    CheckMates Events