cancel
Showing results for 
Search instead for 
Did you mean: 
Create a Post
Highlighted
Ivory

Can I lock myself out completely?

Dear community,

we have a Checkpoint firewall R77.30 (will upgrade to R80.30 soon).

Supposed, the very first line of the ruleset is "deny any any".

Does that mean I am completely locked out forever, or is access from SmartDashboard to the management and policy installation from there to the inspection gateways still possible?

 

Thanks,

Ernst

0 Kudos
7 Replies
Highlighted
Employee++
Employee++

Re: Can I lock myself out completely?

Hi

You are not completely locked out. There are special Implied Rules that allow communication between Check Point objects.

You can read more about it here:

https://supportcenter.checkpoint.com/supportcenter/portal?eventSubmit_doGoviewsolutiondetails=&solut...

0 Kudos
Highlighted

Re: Can I lock myself out completely?

This depends on the status of your implied rules and your specific security system configuration.

If you are using distributed configuration (MGMT and GW are different machines), installing Any-Any-Drop will not break MGMT2GW communications, with intact implied rules. SSH, WebUI and other means to access that particular GW will be broken though.

If you are using a Stand Alone config, meaning both MGMT and GW functions belong to the same machine, then yes, you will lose SmartConsole access as well.


0 Kudos
Highlighted

Re: Can I lock myself out completely?

The implied rules will only be active when the Global rules have not been changed.
When you have completely locked yourself out, you can only unlock this by going in through the console and type 'fw unloadlocal' to recover the access.
Regards, Maarten
0 Kudos
Highlighted
Silver

Re: Can I lock myself out completely?

For this to happen then would have to have a 1 Line Policy, and the Global Implied Rules turned off that allow the Management/Gateway connections.

If Line 1 is Any, Any, Any, Deny

Line 2 is Source, Dest, Services, Accept

Line 3 is

Then policy verification fails as Line 1 would hide all the other lines.

 

Providing you have the Default Implied Rules active allowing Control Connections, CPRID etc then your Management Server can install policy to the Gateway

0 Kudos
Highlighted
Admin
Admin

Re: Can I lock myself out completely?

Regardless of the ruleset you should be able to access the gateway via the serial console and unload the security policy with fwm unloadlocal.
0 Kudos
Highlighted
Employee++
Employee++

Re: Can I lock myself out completely?

Small correction - should be fw unloadlocal

0 Kudos
Highlighted

Re: Can I lock myself out completely?

There are two other ways to lock yourself out, thus requiring a fw unloadlocal to recover, as these are checked before even the implied rules:

1) Antispoofing topology mistake that blocks traffic from the subnet where the SMS is located.

2) Adding a SAM rule from the SmartView Monitor or fw sam command that blocks traffic from the subnet where the SMS is located.

For situation #1 antispoofing enforcement can be disabled in the fly without incurring a full outage, by running the following commands on R80.30 Jumbo HFA Take 71 or later:

fw ctl set int fw_antispoofing_enabled 0
fw ctl set int sim_anti_spoofing_enabled 0 -a

This capability may have been backported into a Jumbo HFA of R80.20 at some point, not sure.

 

Book "Max Power 2020: Check Point Firewall Performance Optimization" Third Edition
Now Available at www.maxpowerfirewalls.com
0 Kudos