Hi Val

When you have enabled that rule, which is an implicit rule and in accept, they appear published for the Firewall that we have output to intenert the public IP and my security team was able to connect via web and via ssh to this firewall until it disables the rule this does not change and puts between parenthesis small office appliance, as are these models. The rule says accept web and ssh connections for administration.

My security partner was connected to the appliance from outside our infrastructure.

Or can it be due to the dropbear he has running?, The truth is that I do not understand what is happening, but if I am clear that when I disable that rule my security colleagues no longer came from outside.

Once again, I do not really understand the concern. You can actually configure the management access and disable it on the WAN interface while still allowing it from internal networks. But say someone is trying to connect to the appliance from outside your networks. There is still an authentication to do before the access is granted.

What are you trying to achieve?

Thank you for your answers and your time, apparently the problem came through port 264, I have already been reading several cases about this. And the security group understood that it is normal behavior.

 "Accept Remote Access Control Connections" setting is one option to negate this but due diligence is required if Check Point is used for remote access here.

As you say plenty of SK articles available on this and related topics otherwise.

I prefer not to touch that rule at the moment, if it creates confusion for me that I had to disable the other implicit rule for ssh access and web access, it is in the image of my first query, in the end I don't know if it is an appliance configuration issue. Or is it due to the firewall model, but I think switching to these appliances was not a good idea.

Thank you.

Sorry like @_Val_ says I don't understand what your concern is? 

These are global properties mostly irrespective of appliance model/type.

Let's see how I commented in my first comment, My security group alerted me that the appliance was accessible via the web and via ssh from outside, I know that later you have to have a username and password, but there are attacks to access it. And our device came out public in shodan as vulnerable via ssh and via the web and I had to disable the implicit rule that I commented in the first post. I don't know if it is a configuration issue of the WAN interface of the equipment or why this behaviour. This device was exchanged two months ago for another checkpoint model and this did not happen with that model.

Thank you.

If the previous model was an appliance running full GAiA that setting wouldn't have applied before.

The previous model was a checkpoint 12200, it has been changed to a splunk 1800 model with gaia embedded. Are you referring to this? I don't understand your answer.

Correct 1800 (GAiA embedded) is classified as small office gateway hence why the setting now applies and didn't before.

(Note: Spark not splunk)

Thanks, that's why I had to disable that implicit rule, can you think of another way so that this doesn't happen without disabling that rule? I understand that no, but I ask you, thanks for your time.

Hey Luis,

As the guys said, it is somewhat confusing what your concern here is. Just so we can help you properly, can you maybe attach simple diagram or drawing of what exactly you are trying to do? Nothing too fancy, but at least paint drawing that can help us understand this better. 

If you want to keep that option off, you can follow below article, which is literally what @_Val_ indicated in his very first response:

https://supportcenter.checkpoint.com/supportcenter/portal?eventSubmit_doGoviewsolutiondetails=&solut...

Andy

Change the setting to 'before last' rather than first and create rules in the policy itself per your requirements for the access behaviour you desire. But again I'm not sure why this is relevant  If you don't want the access to succeed.

To add to what @Chris_Atkinson said, all you need to know is below:

I am sorry, but this statement is not okay: "...but there are attacks to access it". What are you referring to?

If you know how to log into the appliance without a valid account, it should be reported as a vulnerability through appropriate channels.

I'm sorry I expressed myself badly, I don't know any vulnerability, I mean already known methods, brute force for example.

My concern is that the topic-starter claims external access to WebUI/SSH presents a security risk and makes his system vulnerable. Open ports by themself do not actually represent a security risk unless there is a way to break in without knowing admin credentials. 

Or are you asking about something else? 

Thank you for your response and your time. If Internet access was sectioned, I already left it configured.

My question wasn't directed at you @_Val_ sorry have clarified it some to hopefully make it clearer now.