cancel
Showing results for 
Search instead for 
Did you mean: 
Create a Post
Highlighted
Employee
Employee

Firewall allowing traffic without Access Policy

Hello,

I am new here.

I am having an Issue with an R80.30 Gateway that is allowing inbound traffic on 443 without an access policy in place.

I think it is based on NAT, I do have a DNAT in place for 443 traffic, I thought Access policy must be matched in order to allow traffic ?

The said traffic is not showing up on any logs either.

 

Fw monitor I can see the traffic hit the WAN side not I cant see any other details after that. I am filtering based on source IP.

fw monitor -m iIoO -l 56 -T -e '{accept(((src=123.32.234.234,dport=443) or (sport=443,dst=123.32.234.234)),[9:1]=6);}'

 

 

 

0 Kudos
15 Replies
Vladimir
Pearl

Re: Firewall allowing traffic without Access Policy

1. Enable "Log Implied Rules" in Global Policy settings and install the policy on GW.

2.Change the "Cleanup rule" to log.

3. Check if your gateway managed via port 443 for WebUI.

If the answer to [3] is a "Yes", change the management port to something else in the gateway's properties and re-install the policy.

You should see the traffic in the logs at this point and see the reason for it being allowed.

 

 

0 Kudos
Employee
Employee

Re: Firewall allowing traffic without Access Policy

Thanks for that.

I can now see the traffic is matching the implied rule 0

F9rhpGq

5SA7rkZ

I changed the default WebUI port to something other than 443. still matching an implied rule.

 

0 Kudos
Vladimir
Pearl

Re: Firewall allowing traffic without Access Policy

For Security Gateway:

In SmartConsole, perform:

  1. Open the Security Gateway / Cluster object and go to the "Platform Portal" pane.
  2. In the "Main URL" field, set the desired port (e.g., port 4434):
    https://IP_ADDRESS:PORT
  3. Click on OK to apply the changes.
  4. Install the security policy on this Security Gateway / Cluster object.
0 Kudos

Re: Firewall allowing traffic without Access Policy

Another thing to check, (triple check and then check again) is your topology.  A common misconception is Topology is just about anti-spoofing.   Topology literally defines the Internet to the gateway.  Without the correct topology, the gateway won't have a clue of what is inside or outside.   If an internal subnet missing or a wrong mask it can cause really strange unexpected rule matching.     

If you need to make any adjustments, do them manually, never select the get interfaces with topology option on a gateway that's in production service or more unexpected results may occur and can take you down.   Also you must keep your topology up to date with any adds/changes on the inside network ongoing.   If you have a route to a subnet on the Inside network, you need to add that subnet to the topology on the appropriate inside interface. 

0 Kudos

Re: Firewall allowing traffic without Access Policy

Definitely change the web port in Platform Portal as suggested previously. But at the top of your access policy rule base you need to have a couple of rules. First Rule would be to create a group for internal IP's that can access the firewall via port 443, SSH, etc.. for management. Then the 2nd rule should be Source Any to Destination firewall IP, ports = Any then set to deny and log. Also remember to place a cleanup rule at the bottom of your access control policy. 

CCSE
0 Kudos
Employee
Employee

Re: Firewall allowing traffic without Access Policy

Hello Every, 

Thanks for all your help so far. I have narrowed it down to visitor mode. Even if I obscure the port for visitor mode. The implicit rule still passes https traffic through.

qX7OXHb

 

In my NAT I have a DNAT rule to NAT HTTPS/HTTP to a webserver.

bLc0EzA

 

In my access policy I don't have any rules to allow traffic to my Webserver located at 10.137.148.4.

rShlOzK

 

Problem : As soon as I enable visitor mode (even on port 4434). My web-server is accessible from the internet because the implicit rule is matched and all HTTPS/HTTP traffic can freely hit my web-server. How do I stop this behavior.

0 Kudos
Di_Junior
Silver

Re: Firewall allowing traffic without Access Policy

Dear All

 

I am having the same problem.

We do not have a access control policy defined, but ping and traceroute are being allowed by the Firewall.

The Log implied rule was not enabled, I have enabled it and now I can see that the access is being allowed by the implied rule 0.

Any help on how we can solve this.

Thanks in advance

 

 

0 Kudos

Re: Firewall allowing traffic without Access Policy

Within SmartConsole, right click your gateway object and select View.   Then click Network Management and it will display your active interface Name, Topology, & IP address.   What does it say in the Topology section for each interface?

0 Kudos
Employee
Employee

Re: Firewall allowing traffic without Access Policy

I can confirm the topology is correct.

Wan Interface -----》 External

Lan Interface -------》 Internal.

 

0 Kudos

Re: Firewall allowing traffic without Access Policy

1.  Is the server on the same exact subnet as your internal interface IP or on a different subnet another internal router hop away?

2.  If on a different subnet, right click the interface and view again to drill deeper, then click view in the topology section.  What is selected?

If Leads To is Not Defined (internal) and your server is on a different subnet then you need to set your topology to Specific and put in a network group object with the internal subnets listed.   

 

 

 

0 Kudos
Employee
Employee

Re: Firewall allowing traffic without Access Policy

Server is in the same subnet.

Gateway IP ( internal) is 10.137.148.1/24

Server ip is 10.137.148.4/24

0 Kudos
Employee
Employee

Re: Firewall allowing traffic without Access Policy

Just an update, I still have not been able to solve this.

I have narrowed it down to visitor mode.

Even when I select the different port for visitor mode on the VPN side.

Port 443 is always used and hence the implied rule is always hit on Port 443.

 
0 Kudos
Vladimir
Pearl

Re: Firewall allowing traffic without Access Policy

image.png

0 Kudos
Di_Junior
Silver

Re: Firewall allowing traffic without Access Policy

Hi Vladimir

Thats actually enabled.

Does it have an impact when disabled?

Thanks
0 Kudos
Vladimir
Pearl

Re: Firewall allowing traffic without Access Policy

When enabled, it'll permit ICMP unconditionally, (i.e. Rule 0).

When unchecked, you'll have to specify rules permitting ICMP where needed.