I can see this method being useful for "overriding" certain implied rules, particularly if the dos rules are very targeted.

You are correct, I was missing an "any" there and have fixed it in the original post.
If I remember correctly, fwaccel dos rules are persistent across reboots/upgrades.

In Public Cloud, it's entirely possible we're not seeing the real source IP (depending on the exact configuration).
You should confirm precisely what IP the gateway is seeing with tcpdump or similar. 

I really have gut feeling its because even though ifconfig shows public IP, BUT, when I look at fw topology in smart console object, that IP is NOT listed there...I will talk to one of my colleagues next week who is way better with Azure than myself, but logically, thats what stands out to me.

Andy

eth0 Link encap:Ethernet HWaddr 00:0D:3A:F4:98:C4
inet addr:10.2.0.4 Bcast:0.0.0.0 Mask:255.255.255.0
inet6 addr: fe80::20d:3aff:fef4:98c4/64 Scope:Link
UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
RX packets:604471 errors:0 dropped:0 overruns:0 frame:0
TX packets:598227 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:1000
RX bytes:466812315 (445.1 MiB) TX bytes:142959965 (136.3 MiB)

eth0:1 Link encap:Ethernet HWaddr 00:0D:3A:F4:98:C4
inet addr:52.229.98.249 Bcast:52.229.98.249 Mask:255.255.255.255
UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1

eth1 Link encap:Ethernet HWaddr 00:0D:3A:F4:9E:31
inet addr:10.2.1.4 Bcast:0.0.0.0 Mask:255.255.255.0
inet6 addr: fe80::20d:3aff:fef4:9e31/64 Scope:Link
UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
RX packets:0 errors:0 dropped:0 overruns:0 frame:0
TX packets:14 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:1000
RX bytes:0 (0.0 b) TX bytes:2424 (2.3 KiB)

See if this post I made last year helps. I definitely validated it works 100%, but you know how it goes with Azure subscription, even when devices are powered off, they still charge you 🙂

Andy

https://community.checkpoint.com/t5/Remote-Access-VPN/Geo-VPN-blocking/m-p/214040#M10593

FWIW, just my PERSONAL opinion, I would NOT be disabling implied rules. I had seen people do this before and more often than not, down the road, it can lead to more issues.

Thats just my experience...

Andy

Agree.  We did have some bumps from disabling a handful of the implied rules but now have the ruleset pretty solid with no issues (to my knowledge). 🙂  Could always manually build out the rules from this list too, which is what I used for checking some of mine: https://support.checkpoint.com/results/sk/sk119497

The change to the Geo Blocking and removing it from Smart Console and not working with access rules was one of the driving factors to look at removing implied rules.  Can't remember exactly but even with setting that configuration you referenced we were seeing countries getting through for VPN activity.  I didn't disable ALL the rules but focused on the remote access ones and also some of the SMB ones which we don't service on this gateway.

The ones we disabled are attached if interested.

Speaking of geo blocking, did post I made last year that I posted in previous response help? Not sure if makes sense, but definitely worked when I tested it.

Andy

It makes sense and unfortunately I did not find that during my testing last year when implementing the cluster.  Looked at my notes and I had found this SK: https://support.checkpoint.com/results/sk/sk180808 but don't believe it worked as expected which is why I started unchecking implied rules.  Things are stable now and don't think we'll revert anything but would have been great if I had seen your post.

Hey, no worries, all good, as long as things are stable.

Andy