This website uses Cookies. Click Accept to agree to our website's cookie use as described in our Privacy Policy. Click Preferences to customize your cookie settings.
Accept
Reject
Preferences
ABOUT CHECKMATES CYBER SECURITY COMMUNITY & FAQ
Create a Post
Help
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

Are you a member of CheckMates?

×
Sign in with your Check Point UserCenter/PartnerMap account to access more great content and get a chance to win some Apple AirPods! If you don't have an account, create one now for free!
B_P
Advisor
‎2018-05-02 03:48 PM
Jump to solution

"Internet" object != Internet?

R80.10 - I have a single policy that has the Firewall and App & URL Filtering blades enabled on it. In that policy I have a rule that says Allow for destination Internet. My Internet-bound traffic is blocked by my cleanup rule. What am I missing here?

p.s. I'm not asking how to allow internet access.. I've seen that post and I can make it work with other methods. I'm trying to understand how CP is processing the rules here.

Labels
1 Solution

Accepted Solutions
B_P
Advisor
‎2018-05-07 01:57 PM
Jump to solution

I figured it out -- the App / URL blades were, in fact, not enabled.

So if you don't have them enabled and create a unified policy -- you can install said policy, but the rules will essentially be ignored without any indication that they are being ignored. Surprised, not surprised.

View solution in original post

9 Replies
Kyle_Danielson
Employee
Employee
‎2018-05-02 06:01 PM
Jump to solution

The Internet object in the Application Control & URL Filtering policy actually only applies to traffic that's leaving an interface marked as external.

I would check the topology settings on the Gateway object and make sure your interface-facing interface is marked external.

0 Kudos
Timothy_Hall
MVP Gold
MVP Gold
‎2018-05-03 05:16 AM
In response to Kyle_Danielson
Jump to solution

Traffic going to DMZ networks that have the checkbox "leads to DMZ" checked will also match object "Internet" in a APCL/URLF layer.  This was covered extensively in my book, see:

sk102675: When using "Internet" object as destination in Application Control rule to block an applic...

sk108057: What does the box "Interface leads to DMZ" control in interface topology?

--
Second Edition of my "Max Power" Firewall Book
Now Available at http://www.maxpowerfirewalls.com

Gaia 4.18 (R82) Immersion Tips, Tricks, & Best Practices Video Course
Now Available at https://shadowpeak.com/gaia4-18-immersion-course
B_P
Advisor
‎2018-05-03 07:32 AM
In response to Kyle_Danielson
Jump to solution

My internet-facing interface was already marked external. There is no DMZ.

B_P
Advisor
‎2018-05-04 08:11 AM
Jump to solution

Any other ideas?

Tomer_Sole
Mentor
Mentor
‎2018-05-06 12:01 PM
In response to B_P
Jump to solution

- would you mind printing the gateway editor --> network management --> "eth0" interface properties? does its editor mention "leads to internet"?

- if this is an R80.10 gateway, the "more" part in the log card contains the source zone. If the zone is not External, that would be the root cause of the match on the cleanup rule.

hope this helps.

0 Kudos
B_P
Advisor
‎2018-05-07 10:49 AM
In response to Tomer_Sole
Jump to solution

eth0 - "This network" - Management LAN

eth1 - "External" - Public WAN

eth2 - DefinedNetworkGroup - Various Private LANs

eth3 - "This network" - End-user LAN

There is nothing about zone in the log -- just ID, ID Generated By Indexer, First, Sequencenum, Db Tag, Logid, Description.

0 Kudos
B_P
Advisor
‎2018-05-07 01:57 PM
Jump to solution

I figured it out -- the App / URL blades were, in fact, not enabled.

So if you don't have them enabled and create a unified policy -- you can install said policy, but the rules will essentially be ignored without any indication that they are being ignored. Surprised, not surprised.

Tomer_Sole
Mentor
Mentor
‎2018-05-17 10:03 AM
In response to B_P
Jump to solution

You're going to get a warning, not an error, during install policy. We have plans to emphasize this in later releases.

0 Kudos
B_P
Advisor
‎2018-05-17 10:20 AM
In response to Tomer_Sole
Jump to solution

I wish I got a warning. All I get it is a green check mark:

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

View All ≫
Upcoming Events

    CheckMates Events