This website uses Cookies. Click Accept to agree to our website's cookie use as described in our Privacy Policy. Click Preferences to customize your cookie settings.
Accept
Reject
Preferences
ABOUT CHECKMATES CYBER SECURITY COMMUNITY & FAQ
Create a Post
Help
cancel
Turn on suggestions
Showing results for 
Search instead for 
Did you mean: 

Are you a member of CheckMates?

×
Sign in with your Check Point UserCenter/PartnerMap account to access more great content and get a chance to win some Apple AirPods! If you don't have an account, create one now for free!
Frank_Hauser1
Explorer
‎2020-01-01 11:03 AM

NTP service not available as standard

Hello,

I was working on my CP 600 Release "R77.20.80 (990172392)" observed the following:

the standard service NTP is not available/visible CP, I had to create it extra as udp/123.
E.g. there is also the phenomenon that network objects e.g. cannot perform ICMP. However, it is enabled in the rules.
Only a change to "any" has created a remedy, but this is not supposed to be the case !!!!
Also I don't see a problem in monitoring, except that it was forbidden.
The configuration/monitoring is always done with the GUI.
Does a "RESET" and the import of a backup help here?

Best Regards and Happy New Year,

Frank.

0 Kudos
4 Replies
PhoneBoy
Admin
Admin
‎2020-01-01 02:20 PM

Not sure what you mean by "network objects cannot perform ICMP."
Do you mean you are unable to define specific rules?
Screenshots may help.

Also, I don't understand what you mean by "I don't see a problem in monitoring except it was forbidden."
Again, screenshots might help.
0 Kudos
Frank_Hauser1
Explorer
‎2020-01-02 04:56 AM
In response to PhoneBoy

Thanks for the answer.
The NTP service is not defined in the standard. I had to set it up specially:

See Screenshot: NTP.jpg

See Screenshot from Log: Log.jpg

See Screenshot Policy Control: AccesPolicyControl.JPG

If I configure this IP  to "any", then the traffic works.
1. All other objects have no problem with "icmp".
2. Screenshot Policy.JPG is the manual release in the rule.
3. Screenshot active Service: ActivePolicyforService.jpg

Is it possibly the last firmware update that causes me problems?

AccesPolicyControl.JPG
Preview file
31 KB
ActivePolicyforService.JPG
Preview file
19 KB
Log.JPG
Preview file
23 KB
ntp.JPG
Preview file
19 KB
Policy.JPG
Preview file
53 KB
0 Kudos
PhoneBoy
Admin
Admin
‎2020-01-02 04:47 PM
In response to Frank_Hauser1

NTP is not among the default services created on the SMB appliances.
Note that R77.20.80 (possibly with a newer build number) is the latest firmware available for the 600 Series.
Other than important security/bug fixes, there will be no additional firmware release for these appliances.

You're defining a rule in the section called "Outgoing access to the Internet" whereas the ICMP drop is to something on the same subnet.
What happens if you create the same rule on "Incoming, Internal and VPN traffic" section?

I don't understand what you are trying to accomplish with the rules related to NTP.
What is the intended source and destination of this traffic?
0 Kudos
HristoGrigorov
Mentor
Mentor
‎2020-01-02 08:19 PM
In response to PhoneBoy

Yeah, the appliance itself cannot act as a NTP server so it makes no sense to add it as a destination for NTP protocol.

 

You complain that NTP is not already on the Services objects list and you have a valid point here as it is more or less widely used service and should be there. Perhaps you can submit enhancement request to CheckPoint but it is unlikely that it will be added because as @PhoneBoy already said there will be only security and bug fixes for this device.

 

 

0 Kudos

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

View All ≫
Upcoming Events

    Sort by:
    CheckMates Events
    Top