This website uses Cookies. Click Accept to agree to our website's cookie use as described in our Privacy Policy. Click Preferences to customize your cookie settings.
Accept
Reject
Preferences
ABOUT CHECKMATES CYBER SECURITY COMMUNITY & FAQ
Create a Post
Help
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

Are you a member of CheckMates?

×
Sign in with your Check Point UserCenter/PartnerMap account to access more great content and get a chance to win some Apple AirPods! If you don't have an account, create one now for free!
abihsot__
Advisor
‎2021-01-15 08:18 AM

policy search - negated cell

Hi there,

 

not a big deal, but a little bit annoying when searching in the policy for something you get result matching negated cell. Sure, the object is there, but negated cell logically means "NOT this object".

Using mode: Packet result is the same.

 

0 Kudos
8 Replies
PhoneBoy
Admin
Admin
‎2021-01-15 11:10 AM

When you search a layer for an object, you're searching for all occurrences of the object in the policy.
Since that object occurs in the policy (albeit with negation), it's still used in the policy.
I consider that expected behavior.

Packet Mode is probably doing the same kind of search against the policy layer.
There, it doesn't entirely make sense to show the negated result.
Recommend a TAC case to clarify this case.

0 Kudos
abihsot__
Advisor
‎2021-01-17 11:13 PM
In response to PhoneBoy

I would disagree, because when you do search in the policy you are looking for applicable rules, not particular object. If you type "dst:10.1.1.1", host object might not be available, however rule with network covering that host will be displayed. Probably not many people using negated cells and that's why it is not bothering others.

0 Kudos
Bob_Zimmerman
MVP Gold
MVP Gold
‎2021-01-18 09:41 AM
In response to abihsot__

Meanwhile, when I search for an object, it's almost always because somebody built a copy of that server, and they didn't keep track of their own firewall tickets, so I have to add it everywhere the original exists. Thus, I want rules where it is in a negated cell.

0 Kudos
abihsot__
Advisor
‎2021-01-18 12:27 PM
In response to Bob_Zimmerman

Maybe I was always looking at policy search from different angle, but isn't it the function "where used" build to search for the object usage in the policy and there you can compare locations and click replace? 

0 Kudos
Bob_Zimmerman
MVP Gold
MVP Gold
‎2021-01-18 12:39 PM
In response to abihsot__

That works when all of the admins care about cleanliness and use existing objects rather than making new ones.

I have seen SmartCenters with twelve objects for 10.0.0.0/8. TWELVE. All used in different places. Two had automatic NAT (to different addresses, because why not), but most of the others were identical except for the names.

My current environment isn't quite that bad, but it's still bad.

0 Kudos
abihsot__
Advisor
‎2021-01-18 12:45 PM
In response to Bob_Zimmerman

I feel your pain 🙂 With multiple objects on the same IP/NET, I usually use "where used" and verify policy rule numbers to make exact match before removing duplicate. Of course, automatic NAT gives some additional "fun".

0 Kudos
Timothy_Hall
MVP Gold
MVP Gold
‎2021-01-18 07:54 AM

What version are you using?  Negated objects seem to get handled properly by packet mode searches in R80.40 for me:

 

packet_negate.png

Gaia 4.18 (R82) Immersion Tips, Tricks, & Best Practices Video Course
Now Available at https://shadowpeak.com/gaia4-18-immersion-course
abihsot__
Advisor
‎2021-01-18 08:01 AM
In response to Timothy_Hall

Sorry, my bad. Indeed after another test, "mode: Packet" do not show negated rules.

So now the question what is the logic according to Checkpoint for regular rulebase search...

0 Kudos

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

View All ≫
Upcoming Events

    CheckMates Events