This website uses Cookies. Click Accept to agree to our website's cookie use as described in our Privacy Policy. Click Preferences to customize your cookie settings.
Accept
Reject
Preferences
ABOUT CHECKMATES CYBER SECURITY COMMUNITY & FAQ
Create a Post
Help
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

Are you a member of CheckMates?

×
Sign in with your Check Point UserCenter/PartnerMap account to access more great content and get a chance to win some Apple AirPods! If you don't have an account, create one now for free!
Martin_Valenta
Advisor
‎2018-04-19 05:17 AM

When policy verification will validate also port numbers instead of service name?

Rules above are passing verification process without any issues, since verification process don't look on port defined in service but rather check only service name. This basically create shadowed rules in policy.

Should it be verification failure, when services are exact same ports on both rules?

Only difference between http/s and http/s-30mins is with custom advanced settings on service properties.

7 Replies
Marco_Valenti
Advisor
‎2018-04-19 06:36 AM

Those are two different service beside port number , you can have rule like this for decide to not synchronize certain type of traffic between cluster member just cloning the default service and select do not synchronize between cluster member so I guess the verify mechanism is work as expected at least in this case .

0 Kudos
Martin_Valenta
Advisor
‎2018-04-19 06:43 AM
In response to Marco_Valenti

It's still same port. There will be no hit counts rule #2

XavierBens
MVP Silver CHKP MVP Silver CHKP
MVP Silver CHKP
‎2018-04-19 11:15 AM

Could you detailed advanced settings difference between both of them ?

Cybersecurity Evangelist, CISSP, CCSP, CCSM Elite
0 Kudos
Tomer_Sole
Mentor
Mentor
‎2018-04-19 01:25 PM

Hi, the Security Management Server has it as warnings as you make the change. We plan to create a page for the "live" warnings since the "validations" pane only shows publish-blocking errors. Multiple services with the same port is not a security problem. You can use either of them in the same policy. However, we realize that some of our customers would like this as an error and we plan to add this configuration flexibility in our next releases.

0 Kudos
Martin_Valenta
Advisor
‎2018-04-23 01:59 AM
In response to Tomer_Sole

Tom, its not an issue that you can have multiple services with same destination port, but if it for verification process only care about only name of service, then it's allowing to create shadowed rules. Right now if i want to see shadowed rules i need to use tools like Tufin,  Firemon, Algosec.

0 Kudos
Tomer_Sole
Mentor
Mentor
‎2018-04-23 02:15 AM
In response to Martin_Valenta

multiple services with same name are blocked with R80.10 Security Management.

Check Point fails policy installation for shadowed rules. In case objects are shadowed but belong to groups, Check Point does not fail policy installation, because we aren't sure that administrators are willing to break their groups apart for the purpose of narrowing down their rules - but we'd love to hear a different approach.

0 Kudos
Martin_Valenta
Advisor
‎2018-04-23 02:21 AM
In response to Tomer_Sole

Unique name is required for all network objects since r80.10, which is good, but this is about something else.

It's checking shadowing for network objects definitions, but not for services that's my point.

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

View All ≫
Upcoming Events

    CheckMates Events