This website uses Cookies. Click Accept to agree to our website's cookie use as described in our Privacy Policy. Click Preferences to customize your cookie settings.
Accept
Reject
Preferences
ABOUT CHECKMATES CYBER SECURITY COMMUNITY & FAQ
Create a Post
Help
cancel
Turn on suggestions
Showing results for 
Search instead for 
Did you mean: 

Are you a member of CheckMates?

×
Sign in with your Check Point UserCenter/PartnerMap account to access more great content and get a chance to win some Apple AirPods! If you don't have an account, create one now for free!
David_C1
Advisor
‎2023-05-04 12:19 PM
Jump to solution

SMB Access Policy Control and internet access

I'm stuck why this doesn't work, but basically I'm trying to allow devices connected to the LAN network of my SMB device access to the internet over certain ports.

Background: Locally managed 1430 appliance running R77.20.87

Access Policy (Firewall) is set to strict.

1430a.jpg

I've created a manual rule in the policy to allow internet access (top rule under Outgoing access to the Internet):

1430b.jpg

The service group "CFU_Internet" contains http, https, and ICMP. 

What I'm seeing is traffic from the LAN network (172.x.x.x) to the internet is getting dropped on the last rule in the policy (rule 5 under Incoming, Internal, and VPN traffic):

2023-05-04_13-55-421430c.jpg

What am I missing? Why isn't this traffic allowed by the first manual rule I created?

Dave

0 Kudos
1 Solution

Accepted Solutions
David_C1
Advisor
‎2023-05-05 05:23 AM
In response to G_W_Albrecht
Jump to solution

Inspiration struck in the middle of the night. The reason this is not working is that I do not have an internet connection defined/configured. Traffic from the LAN networks bound for the internet goes out the DMZ interface which is connected to an MPLS network, which eventually comes back to our datacenter and out our internet egress point there. I had to get a bit creative with the routing (solution found in another CheckMates post) but everything is working now as I need it.

Thanks for everyone's suggestions,

Dave

View solution in original post

5 Replies
Chris_Atkinson
Employee Employee
Employee
‎2023-05-04 04:50 PM
Jump to solution

Is your internet connection connected to a "WAN" port and what build of R77.20.87 firmware is used?

CCSM R77/R80/ELITE
0 Kudos
the_rock
Legend
Legend
‎2023-05-04 05:21 PM
Jump to solution

Does 1st rule even have any hits? I noticed in the dropped log, shows inzone Internal and outzone as DMZ.

0 Kudos
G_W_Albrecht
Legend Legend
Legend
‎2023-05-05 02:58 AM
Jump to solution

Using "Strict" is not really recommended out of my experience - i would suggest "Standard" with TP is secure enough 😉 You have to allow every detail in many seperate rules in strict mode, and that needs much knowledge...

CCSP - CCSE / CCTE / CTPS / CCME / CCSM Elite / SMB Specialist
0 Kudos
David_C1
Advisor
‎2023-05-05 05:23 AM
In response to G_W_Albrecht
Jump to solution

Inspiration struck in the middle of the night. The reason this is not working is that I do not have an internet connection defined/configured. Traffic from the LAN networks bound for the internet goes out the DMZ interface which is connected to an MPLS network, which eventually comes back to our datacenter and out our internet egress point there. I had to get a bit creative with the routing (solution found in another CheckMates post) but everything is working now as I need it.

Thanks for everyone's suggestions,

Dave

the_rock
Legend
Legend
‎2023-05-05 05:27 AM
In response to David_C1
Jump to solution

Excellent work @David_C1 👍

0 Kudos

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

View All ≫
Upcoming Events

    Sort by:
    CheckMates Events
    li.common.scroll-to.top