This website uses Cookies. Click Accept to agree to our website's cookie use as described in our Privacy Policy. Click Preferences to customize your cookie settings.
Accept
Reject
Preferences
ABOUT CHECKMATES CYBER SECURITY COMMUNITY & FAQ
Create a Post
Help
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

Are you a member of CheckMates?

×
Sign in with your Check Point UserCenter/PartnerMap account to access more great content and get a chance to win some Apple AirPods! If you don't have an account, create one now for free!
This widget could not be displayed.
1 Solution

Accepted Solutions
Preview file
52 KB

Hello

At R81 Verification succeeds for two same sequential rules. See attachment. 

You can easily replicate.

BR,

Kostas

Preview file
52 KB
Jump to solution

Verification succeeds for two same sequential rules

Jump to solution

Verification succeeds for two same sequential rules

Hello

At R81 Verification succeeds for two same sequential rules. See attachment. 

You can easily replicate.

BR,

Kostas

Preview file
52 KB

Hello

At R81 Verification succeeds for two same sequential rules. See attachment. 

You can easily replicate.

BR,

Kostas

Preview file
52 KB
6 Replies
Bob_Zimmerman
MVP Gold
MVP Gold
‎2021-06-08 09:25 AM
Bob_Zimmerman
MVP Gold
MVP Gold
‎2021-06-08 09:25 AM
Jump to solution

Jump to solution

At a guess, that seems like something the zone might cause. Zones are complicated to resolve to specific addresses, so I wouldn't be surprised if the verification process treats them as not matching anything, or simply skips rules which use them.

At a guess, that seems like something the zone might cause. Zones are complicated to resolve to specific addresses, so I wouldn't be surprised if the verification process treats them as not matching anything, or simply skips rules which use them.

PhoneBoy
Admin
Admin
‎2021-06-08 12:37 PM
PhoneBoy
Admin
Admin
‎2021-06-08 12:37 PM
Jump to solution

Jump to solution

Actually, this is expected behavior from R80.40.
See: https://supportcenter.checkpoint.com/supportcenter/portal?eventSubmit_doGoviewsolutiondetails=&solut...

Actually, this is expected behavior from R80.40.
See: https://supportcenter.checkpoint.com/supportcenter/portal?eventSubmit_doGoviewsolutiondetails=&solut...

Bob_Zimmerman
MVP Gold
MVP Gold
‎2021-06-10 03:38 PM
Bob_Zimmerman
MVP Gold
MVP Gold
‎2021-06-10 03:38 PM
In response to PhoneBoy
In response to PhoneBoy
Jump to solution

Jump to solution

Wow. That's good to know. I have a few policies in my managements which I don't want anybody pushing (one with QoS, and a few are migrations in progress), so I intentionally break them with overlapping rules at the end. I'll have to confirm they have different actions. They might just be two drop rules in some.

Wow. That's good to know. I have a few policies in my managements which I don't want anybody pushing (one with QoS, and a few are migrations in progress), so I intentionally break them with overlapping rules at the end. I'll have to confirm they have different actions. They might just be two drop rules in some.

LaRockas
Participant
‎2021-06-11 06:07 AM
LaRockas
Participant
‎2021-06-11 06:07 AM
In response to PhoneBoy
In response to PhoneBoy
Jump to solution

Jump to solution

Hi PhoneBoy ,

The feature with the overlapping rules and the verification was very useful for large environments with many may rules . It was helping to housekeep the rules . Also it was an extra for our environment when we migrate from Cisco ASA , to help us reduce the rules . I understand the need for others to have overlapping rules , but it would be better to be able to change it with some change to the GUI , and not all the procedure that the SK161574 (Advanced Technical Level)  describes .

 

Hi PhoneBoy ,

The feature with the overlapping rules and the verification was very useful for large environments with many may rules . It was helping to housekeep the rules . Also it was an extra for our environment when we migrate from Cisco ASA , to help us reduce the rules . I understand the need for others to have overlapping rules , but it would be better to be able to change it with some change to the GUI , and not all the procedure that the SK161574 (Advanced Technical Level)  describes .

 

PhoneBoy
Admin
Admin
‎2021-06-11 04:03 PM
PhoneBoy
Admin
Admin
‎2021-06-11 04:03 PM
In response to LaRockas
In response to LaRockas
Jump to solution

Jump to solution

I believe the primary reason this was done was to reduce the overall policy compilation/installation time, also an issue in environments with many, many rules.
I would expect this process to take more time if this check is re-enabled.
Moving the setting to the UI would have to be addressed as an RFE.

I believe the primary reason this was done was to reduce the overall policy compilation/installation time, also an issue in environments with many, many rules.
I would expect this process to take more time if this check is re-enabled.
Moving the setting to the UI would have to be addressed as an RFE.

0 Kudos
0 Kudos
abihsot__
Advisor
‎2021-07-07 02:07 AM
abihsot__
Advisor
‎2021-07-07 02:07 AM
In response to LaRockas
In response to LaRockas
Jump to solution

Jump to solution

I feel your frustration. I was thinking the same and policy verification for hide rules is very useful to prevent rulebase from growing unnecessary. In my opinion it is a shady way of speeding up policy installation time.

I feel your frustration. I was thinking the same and policy verification for hide rules is very useful to prevent rulebase from growing unnecessary. In my opinion it is a shady way of speeding up policy installation time.