This website uses Cookies. Click Accept to agree to our website's cookie use as described in our Privacy Policy. Click Preferences to customize your cookie settings.
Accept
Reject
Preferences
ABOUT CHECKMATES CYBER SECURITY COMMUNITY & FAQ
Create a Post
Help
cancel
Turn on suggestions
Showing results for 
Search instead for 
Did you mean: 

Are you a member of CheckMates?

×
Sign in with your Check Point UserCenter/PartnerMap account to access more great content and get a chance to win some Apple AirPods! If you don't have an account, create one now for free!
FXB
Contributor
‎2022-12-21 01:22 AM

How to allow access to a web traffic ressource?

Dear community,

we are currently facing the challenge, that one of our employees is having a software installed which need to connect via MySQL (TCP 3306) to an external internet ressource.

Unfortunately that internet ressource has an ever-changing external IP so allowing the traffic with a static src/dest/port rule is not an option. 

Looking at the log we see that our checkpoint gateway recognized the web traffic ressouce (test.domain.com in this example) to which the software is trying to connect via MySQL (see attachment).

Is there a way to allow the access based on this web ressource? 

The gateway is running R80.20.40, domain objects did not work (probably since its not a http(s) traffic but SQL).

Any hint is appreciated!

Regards,

Franz

ressouce_message.png
Preview file
21 KB
0 Kudos
5 Replies
G_W_Albrecht
Legend Legend
Legend
‎2022-12-21 01:31 AM

This is Embedded GAiA - why not allow all connections from employees local IP / Access Role using TCP 3306 to Internet ?

CCSP - CCSE / CCTE / CTPS / CCME / CCSM Elite / SMB Specialist
0 Kudos
FXB
Contributor
‎2022-12-21 01:42 AM
In response to G_W_Albrecht

Hi,

thanks for your response. 

Allowing all tcp_3306 traffic from the client to the internet would be the fall-back solution. We would like to have an as-tight-as- possible ruleset in regards to internet connections, so if there would be a way to use the web ressouce for the allow-rule that would be the prefered way.

Our mindset was that if checkpoint is detecting this ressouce, surely there could be some way to use this information for the ruleset?

You are correct in assuming its embedded-gaia, if this is the wrong section of the forum, please move the topic to the correct one if possible 🙂

0 Kudos
PhoneBoy
Admin
Admin
‎2022-12-21 05:20 AM
In response to FXB

I’ve moved it. 

You mentioned you’re using an SMB device but the log card suggests it’s being managed by a Smart-1..correct?
The correct way to do this is with a Domain Object with the FQDN checkbox tagged in the relevant access policy rule, which will use DNS to determine what the IP will be.
Even if the device is locally managed, you can create a similar domain object for the policy.

the_rock
Legend
Legend
‎2022-12-21 07:59 PM

I agree with advice @PhoneBoy gave you. Domain object is way to go here.

0 Kudos
FXB
Contributor
‎2022-12-21 11:30 PM

Thanks for your replies.

Yes, the device is beeing managed by a central security management server (even tho its not a smart-1 but openserver based, makes no difference here). We actually tried making it work with domain objects like "domain.com" with FQDN set, had no success with it however. Since the external IP address in the destination field of the log is beeing resolved to sth different than what is displayed in the web traffic ressouce field , I assume we need to create a domain object which relates to the destination IP, rather than the ressouce shown.

We gonna try it out and give feedback here.

0 Kudos

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

View All ≫
Upcoming Events

    CheckMates Events
    li.common.scroll-to.top