This website uses Cookies. Click Accept to agree to our website's cookie use as described in our Privacy Policy. Click Preferences to customize your cookie settings.
Accept
Reject
Preferences
ABOUT CHECKMATES CYBER SECURITY COMMUNITY & FAQ
Create a Post
Help
cancel
Turn on suggestions
Showing results for 
Search instead for 
Did you mean: 

Are you a member of CheckMates?

×
Sign in with your Check Point UserCenter/PartnerMap account to access more great content and get a chance to win some Apple AirPods! If you don't have an account, create one now for free!
Martin_S_1
Participant
‎2022-10-26 05:27 AM
Jump to solution

firewall policy rule that specifies a VPN community

If a firewall policy contains a rule that specifies a VPN community that it is not a participating gateway of, does this mean that the rule is redundant? Does it mean that the rule will be ignored even if there is matching traffic you expect to get processed by the rule.

Labels
1 Solution

Accepted Solutions
Timothy_Hall
Legend Legend
Legend
‎2022-10-26 06:40 AM
Jump to solution

Yes the rule will be ignored.  When anything other than "Any" is placed in the VPN column it adds an additional matching criteria.  Based on the VPN Domains or IP routing into a VTI, in addition to matching the Source/Dest/Service fields, the traffic must be encrypting into a tunnel of that community or decrypting from a tunnel of that community.  Traffic going in the clear or going in/out of a different community based on VPN Domains/VTI routing will not match that rule, even if all other rule fields such as Source/Dest/Service are a match. 

This condition does not cause a policy verification or validation error.  It is a common misconception that the VPN column is used to define what traffic is "interesting" to a VPN in regards to encryption which is not correct, the VPN Domains/VTI routing process does that.

Attend my Gateway Performance Optimization R81.20 course
CET (Europe) Timezone Course Scheduled for July 1-2

View solution in original post

4 Replies
the_rock
Legend
Legend
‎2022-10-26 06:11 AM
Jump to solution

Can you share a screenshot/example of what exactly you are referring to?

0 Kudos
Martin_S_1
Participant
‎2022-10-26 06:29 AM
In response to the_rock
Jump to solution

I can't share a screenshot, but what I'm saying is that, I have a firewall rule that is not getting any hits despite having the source IP, destination IP and service actually being a match. Instead of hitting this rule which has been created to allow this traffic, the traffic is missing this rule and is instead hitting the clean-up rule at the very bottom of the rule base, and I didn't know why. The rule in question was not created by me, and it has been configured with a particular VPN community inside the VPN field of the rule. However, the thing is, what I've noticed is that the firewall this policy is for is not a part of the VPN community specified in the VPN field of the rule, and I believe the rule that is not getting hit is because this firewall is not a participating gateway of this VPN community, the same VPN community listed in the rule.

0 Kudos
the_rock
Legend
Legend
‎2022-10-26 06:39 AM
In response to Martin_S_1
Jump to solution

I think I get it now, makes sense. Yes, I believe what you assumed is indeed correct. IF the firewall is NOT part of that vpn community, rule wont be hit and if there are no other matches, either it will hit explicit clean up rule at end of inline layer (if one exists) OR it will hit implicit clan up rule at the very bottom. If you can remove the vpn community from that column, chances are the rule will most likely be hit.

Andy

0 Kudos
Timothy_Hall
Legend Legend
Legend
‎2022-10-26 06:40 AM
Jump to solution

Yes the rule will be ignored.  When anything other than "Any" is placed in the VPN column it adds an additional matching criteria.  Based on the VPN Domains or IP routing into a VTI, in addition to matching the Source/Dest/Service fields, the traffic must be encrypting into a tunnel of that community or decrypting from a tunnel of that community.  Traffic going in the clear or going in/out of a different community based on VPN Domains/VTI routing will not match that rule, even if all other rule fields such as Source/Dest/Service are a match. 

This condition does not cause a policy verification or validation error.  It is a common misconception that the VPN column is used to define what traffic is "interesting" to a VPN in regards to encryption which is not correct, the VPN Domains/VTI routing process does that.

Attend my Gateway Performance Optimization R81.20 course
CET (Europe) Timezone Course Scheduled for July 1-2

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

View All ≫
Upcoming Events

    CheckMates Events
    li.common.scroll-to.top