This website uses Cookies. Click Accept to agree to our website's cookie use as described in our Privacy Policy. Click Preferences to customize your cookie settings.
Accept
Reject
Preferences
ABOUT CHECKMATES CYBER SECURITY COMMUNITY & FAQ
Create a Post
Help
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

Are you a member of CheckMates?

×
Sign in with your Check Point UserCenter/PartnerMap account to access more great content and get a chance to win some Apple AirPods! If you don't have an account, create one now for free!
Nelly
Explorer
‎2024-06-29 12:56 AM

Create firewall rule for internet access without using any as destination

Hi, I am tightening up our rulebase for some new internal network that I have created

 

I have hit the issue that I several rules that allow certain hosts internet access via having ANY in the destination.  This now affects my new subnets as a possible way to access them as matching the ANY destination.

Does anyone have a clever suggestion of a way around this without rulebase changes such as a block rule before all affected rules hits that first then gets denied ( this has ramifications for rule ordering for the allowed accesses )?

The internet access need to be unrestricted hence any so restricting that is not an option

May Thanks

 

Neil

Clustered Checkpoint R81.10 Take 150 (x2 devices)

 

0 Kudos
8 Replies
Alex-
MVP Silver
MVP Silver
‎2024-06-29 01:50 AM

There was a discussion about defining Internet a few years back.

 

https://community.checkpoint.com/t5/Management/Properly-defining-the-Internet-within-a-security-poli...

So you have many ways to approach this. Personally, I tend to use private or internal networks in a group and negate them as destination, but you could use the Internet object or any other discussed method depending on your topology.

Lesley
MVP Gold
MVP Gold
‎2024-06-29 01:59 AM
In response to Alex-

I do the same with the negate method

-------
Please press "Accept as Solution" if my post solved it 🙂
0 Kudos
emmap
MVP Gold CHKP MVP Gold CHKP
MVP Gold CHKP
‎2024-06-30 11:32 PM
In response to Lesley

You can do it a little differently to achieve the same thing by creating a 'Group With Exclusions'. Attached are how I did it. You can add any public IP ranges that are also part of your internal/DMZ network to the 'except' group as well. This way the group itself is 'anything except the defined IP ranges' rather than negating the whole destination cell in the rule.

Preview file
11 KB
Preview file
28 KB
Bob_Zimmerman
MVP Gold
MVP Gold
‎2024-07-02 06:39 AM
In response to emmap

For IPv4, Internets_Except should probably also contain

  • 0.0.0.0/8 - reserved for the local network
  • 100.64.0.0/10 - private network for CG NAT (RFC 6598)
  • 127.0.0.0/8 - loopback
  • 169.254.0.0/16 - link local
  • 192.0.0.0/24 - private network (Dual Stack Lite; RFC 6333)
  • 192.0.2.0/24 - reserved for documentation (RFC 5737)
  • 192.88.99.0/24 - reserved (RFC 7526; originally for 6to4 relay; while that has been deprecated, the block has not been released)
  • 198.18.0.0/15 - private network for benchmarking performance (RFC 2544)
  • 198.51.100.0/24 - reserved for documentation (RFC 5737)
  • 203.0.113.0/24 - reserved for documentation (RFC 5737)
  • 224.0.0.0/4 - multicast (there's also a multicast network reserved for documentation: 233.252.0.0/24, RFC 6676)
  • 240.0.0.0/4 - reserved experimental (RFC 3232)

None of these destinations are allowed to refer to real things on the public Internet.

the_rock
MVP Platinum
MVP Platinum
‎2024-06-29 01:30 PM

Super easy, this is what you do. Edit policy layer, then network layer, enable urlf blade, save, publish, add Internet object as dst, publish, install policy.

Thats it 🙂

 

Forgot to add, make sure urlf + appc blades are enabled on gateway object.

Andy

Best,
Andy
0 Kudos
PhoneBoy
Admin
Admin
‎2024-07-01 11:53 AM

Why not use ExternalZone?
This should be associated with your external interface(s).
Available for R8x gateways.

0 Kudos
Nelly
Explorer
‎2024-07-02 02:13 AM
In response to PhoneBoy

VPN-s go via internet, if i use external zone will this be affected ?

0 Kudos
the_rock
MVP Platinum
MVP Platinum
‎2024-07-02 03:16 AM
In response to Nelly

If its tied to your external interface, then it wont work in such scenario. 

Andy

Best,
Andy
0 Kudos

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

View All ≫
Upcoming Events

    CheckMates Events