This website uses Cookies. Click Accept to agree to our website's cookie use as described in our Privacy Policy. Click Preferences to customize your cookie settings.
Accept
Reject
Preferences
ABOUT CHECKMATES CYBER SECURITY COMMUNITY & FAQ
Create a Post
Help
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

Are you a member of CheckMates?

×
Sign in with your Check Point UserCenter/PartnerMap account to access more great content and get a chance to win some Apple AirPods! If you don't have an account, create one now for free!
praveshnayal
Explorer
‎2022-09-21 12:02 AM

Application control based policy allowing some random traffic

Hello,

We have a App based rule for Webex but it seems to be allowing traffic for Amazon instances as well. 

Could you please confirm how this is happening. 

Although the user states that the Amazon instance is not reachable but still allow logs can be seen as attached. 

Is it the service/port that has matched and and hence the allow logs? But then app based rule should allow only the application mentioned in the policy. 

Also note that we have a rule in https inspections that with Destination- Webex services and Action-Bypass.

Is this causing the application to not being identified correctly and hence we see the allow logs for Amazon. 

Just FYI that the application blade licenses are valid.

Thanks in advance for any suggestions on this.

Preview file
44 KB
0 Kudos
4 Replies
Tal_Paz-Fridman
MVP Silver CHKP MVP Silver CHKP
MVP Silver CHKP
‎2022-09-21 01:35 AM

Consider using the Updatable Object for WebEx. 

From the Updatable Object see the link to Network Requirements for Webex Services:

https://help.webex.com/en-us/article/WBX000028782/Network-Requirements-for-Webex-Services#id_135011

 

It states the following:

Cisco supports Webex media services in secure Cisco, Amazon Web Services (AWS) and Microsoft Azure data centers. Amazon and Microsoft have reserved their IP subnets for Cisco’s sole use, and media services located in these subnets are secured within AWS virtual private cloud and Microsoft Azure virtual network instances. The virtual networks in the Microsoft Azure cloud are used to host servers for Microsoft’s Cloud Video Interop (CVI) service.

 

So perhaps this is the reason connections to Webex also contain traffic for AWS.

0 Kudos
praveshnayal
Explorer
‎2022-09-21 03:18 AM
In response to Tal_Paz-Fridman

Here are few of the IP addresses for Amazon which we have in the logs are 52.48.220.40, 52.209.105.52, 54.77.215.5, 52.213.104.140 and 52.18.36.25 and these are not present in the link which you have mentioned.

0 Kudos
PhoneBoy
Admin
Admin
‎2022-09-21 04:14 AM

What is the precise rule the traffic matches on?In any case, what you see in SmartView is the reverse DNS lookup of the IP, which in this case indicates it’s in AWS.
Which, if the company is hosting the specific service in question there, is expected behavior.

0 Kudos
Sorin_Gogean
Advisor
‎2022-09-21 08:18 AM

Hello,

 

Can you show a detailed log for one of those sessions ?

 

Than you,

0 Kudos

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

View All ≫
Upcoming Events

    CheckMates Events