Create a Post
cancel
Showing results for 
Search instead for 
Did you mean: 
Terri_Hawkins
Collaborator
Jump to solution

Enabling Mobile Blade Exposed All Firewall Interfaces to Public.

Hi All,  I am using Checkpoint 80.40 with take 77 installed.  I am attempting to enable the Mobile Access Blade. When we were running 80.30 I started the project.  Once I enabled the blade we starting failing PCI compliance.  The problem was that all the interfaces on our gateway were suddenly available outside on ports 80 and 443. I disabled the blade and we starting passing pci again.

We have since upgraded to 80.40 and I am trying this process again. And, once again,  we are failing pci scans.  This is because...

  • All of the interfaces (VIPS and actual network addresses) on our gateway cluster are showing outside our network.
  • If you try to go to one of the interfaces it gives you a message that there is an untrusted or self signed certificate. (which I expect since there is no site there, but it causes us to fail PCI because it is open)
  • Traffic shows in the logs as being accepted on implied rules.
  • If you go past the certificate message, you get the page not available message.

I need to either create rules to override the implied rules (which I have heard you have to be EXTREMELY careful doing), or, more likely, figure out what I have misconfigured that makes them available externally .  There should be no traffic going to these IP addresses and the certificate will never match since they don't have any names. 

On our cluster, on the Mobile Access section, I have..

  • Selected Allowed Clients with "Web" and a portal URL listed (with just one IP address)
  • Under the Portal Customization I have only the one IP address listed, with one alias which points to that address in DNS
  • Accessibility is set to According to the firewall policy.
  • In the Mobile Access Blade Section of SmartDashboard I have only a few rules allowing a few testers to get to anything behind the network. 
  • I found some videos on checkmates for setting up remote access and I am working through those now but have not yet seen anything about this issue.
  • Gone through all the settings I can find and cannot find a place to say to get to only the one specific address.

If anyone knows what I need to disable/enable to hide my port addresses it would be very appreciated.  I hate the idea of tackling the implied rules but will if that is what is required.

Any help, again, is greatly appreciated.

thanks

terri

0 Kudos
2 Solutions

Accepted Solutions
PhoneBoy
Admin
Admin
Terri_Hawkins
Collaborator

Thank you for the reply. I found one of the portals (called Clients, I guess that is a built in one) which was set to "All interfaces". I scheduled a maintenance window and changed it to "rule_base" and reran our external scan and the interfaces are still out there with traffic being allowed on an implied rule. The only thing I can think of to do is to create rules blocking all the traffic (and hoping I don't miss something I need), but I thought the firewall default to not allow if there was not a rule to allow, so I'm not sure that is necessary. It has to be something I have misconfigured. If you can think of anything else and don't mind sharing I would appreciate it.  Thanks again.

View solution in original post

0 Kudos
6 Replies
PhoneBoy
Admin
Admin
Terri_Hawkins
Collaborator

Thank you for the reply. I found one of the portals (called Clients, I guess that is a built in one) which was set to "All interfaces". I scheduled a maintenance window and changed it to "rule_base" and reran our external scan and the interfaces are still out there with traffic being allowed on an implied rule. The only thing I can think of to do is to create rules blocking all the traffic (and hoping I don't miss something I need), but I thought the firewall default to not allow if there was not a rule to allow, so I'm not sure that is necessary. It has to be something I have misconfigured. If you can think of anything else and don't mind sharing I would appreciate it.  Thanks again.

0 Kudos
PhoneBoy
Admin
Admin

Officially the answer is: https://supportcenter.checkpoint.com/supportcenter/portal?eventSubmit_doGoviewsolutiondetails=&solut...
But it sounds like that's not working, in which case a TAC case is probably warranted.

0 Kudos
Terri_Hawkins
Collaborator

Thank you for helping me with this, I appreciate it. I contacted TAC and in their opinion this is normal behavior for the the firewall. They say the firewall has to inspect the first packet first before it decides to drop it (which would explain why it is in my implied rules), but I don't see why they are being advertised out there at all. These interfaces are not part of the mobile blade, I made a rule that limits it to only 1 IP address, but activating the mobile blade made all the interfaces show.  Does this sound like correct behavior to you? Do you have the mobile blade enabled and all your interfaces are showing?  If this is correct I can write up an exception request for my PCI scan.

They referred me to this SK, which would effectively shut down the mobile access blade, and they said it is the important note at the bottom that indicates this is expected behavior. The way I read it, it is the reason why it is showing in the implied rules, but not why they are out there. 

Your opinion would be appreciated.

https://supportcenter.checkpoint.com/supportcenter/portal?eventSubmit_doGoviewsolutiondetails=&solut...

 

EDIT:  I have been pondering this all night. 

Is it that when we open the mobile blade it gives port 443 and 80 access to the interfaces because you can make any of those the one people connect to, and it doesn’t know which one you will pick. Then in the rule base we tell the firewall only the one IP.  But the firewall doesn’t know that until it goes through our rules, so it allows the connection, which we see in the implied rules (and gets picked up by the scan), then goes through our rule base and drops it because there are no rules for it.  So it is opened in "anticipation" of being allowed?

0 Kudos
Lockout888
Explorer

Hi @Terri_Hawkins any update on this?

0 Kudos
Terri_Hawkins
Collaborator

It appears when you open the mobile blade the interfaces become available outside "in case" you want to use them. If you try to get to them you will receive a page not found error (or similar). I was able to cite the checkpoint article which indicates that "the connections pass the rulebase by the implied rules, but then are rejected by the CPAS" in order to pass our scan. 

https://supportcenter.checkpoint.com/supportcenter/portal?eventSubmit_doGoviewsolutiondetails=&solut...

Also, in trying to mark another reply as the answer I accidently set my question as the answer and I am trying to figure out how to change that now.  

 

0 Kudos

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

Upcoming Events

    CheckMates Events