Solved: Re: Disable Outgoing Packets from Gateway

LostBoY · ‎2022-02-03

I have an r80.40 cluster where a risk has been detected i.e. "Outgoing packets from Gateway towards any destination is enabled"

I did a little digging in and it seems this alert is being created as option "Accept outgoing packets originating from Gateway" in Global properties is enabled.

My query is : is it recommended to disable this option ? i read a few R80.40 documents and it seems i can use an updatable object for Checkpoint update services by creating a rule in ACL. is this a recommended approach ? any chance i break something if i disable this option from global properties.

Thanks

G_W_Albrecht · ‎2022-02-03

It is the easy option NOT to disable this - all CP services can be contacted by the GW. To see this as a risk points to severe restraints, but yes, you can disable the default and use sk131852 for the settings from sk106251.

CCSP - CCSE / CCTE / CTPS / CCME / CCSM Elite / SMB Specialist

View solution in original post

Chris_Atkinson · ‎2022-02-08

sk43401 discourages disabling implied rules.

CCSM R77/R80/ELITE

View solution in original post

G_W_Albrecht · ‎2022-02-03

It is the easy option NOT to disable this - all CP services can be contacted by the GW. To see this as a risk points to severe restraints, but yes, you can disable the default and use sk131852 for the settings from sk106251.

CCSP - CCSE / CCTE / CTPS / CCME / CCSM Elite / SMB Specialist

LostBoY · ‎2022-02-04

Thanks for the reply..i went through these SKs and i m comfortable with enabling Checkpoint updatable object for GWs.. my only worry is what other traffic this will impact..i mean i don't want to enable access to checkpoint cloud but in the process break anything else like stop control connection traffic which could break the cluster or connection with mgmt server

_Val_ · ‎2022-02-06

This is a valid concern. Implied rule allowing GW to send any outgoing traffic it needs to send out. This option is enabled by default, and is it fact recommended by Check Point. This rule covers all outgoingGW connectivity, not only for Check Point services, but for other needs: DNS, certificate validation in case of HTTPSi, and more.

For the management connections specifically, there is another implied rule "Allow control connections", this is also enabled by default and recommended.

LostBoY · ‎2022-02-08

i guess i will go back and leave it as it is as it is a recommendation..any document i can present to support this statement ?

thanks

Chris_Atkinson · ‎2022-02-08

sk43401 discourages disabling implied rules.

CCSM R77/R80/ELITE

the_rock · ‎2022-02-03

I totally agree with @G_W_Albrecht . Also, if you actually read what it says in the help section, it pretty much boils down to the same thing he said.

Accept outgoing packets originating from Gateway
Accepts all packets from connections that originate at the Check Point Security Gateway.
- Accept outgoing packets originating from Connectra gateway
- Accept outgoing packets to Check Point online services
  Allow Security Gateways to access Check Point online services.

Are you a member of CheckMates?

Disable Outgoing Packets from Gateway