Create a Post
cancel
Showing results for 
Search instead for 
Did you mean: 
KellanSmith
Explorer
Jump to solution

Rule with custom Service not being matched

Hi Guys,

First time posting on Checkmats so my apologies if I've posted in the wrong section.

I've run into a strange issue that I can't wrap my head around and was wondering if anyone else has run into this issue and could potentially help me figure it out. I've also scoured the User Centre for any SK regarding this issue with no luck.

 

I have a rule in my policy that allows a bunch of VPN Domain subnets to connect to destination X via tcp.3389.RDP (custom Service object). However, the traffic is being denied on the cleanup rule as its being matched under a different Service "Remote_Desktop_protocol" which I believe is a default Service object.

 

The drop is correct as there is no rule allowing this specific src to dst traffic via the service object  "Remote_Desktop_protocol". However, the traffic should be getting matched via the tcp.3389.RDP service object which is in a rule far above the drop rule.

I would like to know how does the Gateway differentiate between the two service objects  (other than ID) and why it prefers to match the traffic with the "Remote_Desktop_protocol" service rather than the custom tcp.3389.RDP service. When both service objects are configured exactly the same and the custom tcp.3389.RDP service is referenced above the cleanup rule.

 

With both Service objects being the same with the same port ranges one would think that due to the custom service being first in the policy base it would be the rule to get matched, not the cleanup rule due to the traffic not being matched and then also being specified as Remote_Desktop_protocol.

Any help figuring this out would be greatly appreciated.

 

Kind regards.

0 Kudos
1 Solution

Accepted Solutions
PhoneBoy
Admin
Admin
First of all, it's not recommend you create a new service when we already have one pre-defined.
In fact, I think the UI warns when you do this.
There are a couple cases where it's necessary (for example, when the service has a protocol handler pre-defined and you need that protocol handler not to be active).
Pretty sure RDP has some special handling behind the scenes and that's why it didn't match your service.
A TAC case would be required to find out the exact reason.

View solution in original post

3 Replies
PhoneBoy
Admin
Admin
Why do you want to use this custom service and not the default one we provide?
0 Kudos
KellanSmith
Explorer

Hey,

There's no particular reason, other than I was testing this out and noticed this problem and want to know how/ why the checkpoint doesn't match traffic to the custom Service? 

How does the gateway choose to match traffic on one Service object over another when they're both configured the same?

 

Regards,

 

 

0 Kudos
PhoneBoy
Admin
Admin
First of all, it's not recommend you create a new service when we already have one pre-defined.
In fact, I think the UI warns when you do this.
There are a couple cases where it's necessary (for example, when the service has a protocol handler pre-defined and you need that protocol handler not to be active).
Pretty sure RDP has some special handling behind the scenes and that's why it didn't match your service.
A TAC case would be required to find out the exact reason.

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

Upcoming Events

    CheckMates Events