Create a Post
cancel
Showing results for 
Search instead for 
Did you mean: 
Simon_Macpherso
Advisor
Jump to solution

Drop Control Connection Traffic From Malicious IPs

Hello,

We are observing malicious IPs hitting gateway public IPs on tcp/264.

TCP port 264 is FW1_topo - Check Point Security Gateway SecuRemote Topology Requests: Topology Download from Security Gateway (by FWD daemon) to SecuRemote (build 4100 and higher) and SecureClient.

According to sk17745 (Services allowed by "Accept Control Connections" option in "Global Properties"), it is is enabled from anywhere to all Security Management Servers and all Security Gateways.

https://support.checkpoint.com/results/sk/sk17745

We have an explicit drop rule blocking traffic from specific malicious IP intel data sources. However, as the traffic is classified as control connection traffic, the connection is being allowed by the implied rule.

Is there an inherent way by which we can explicitly (or implicitly) drop control connection traffic from a list of malicious source IPs?

Note that I want to automate this process. Though effective, SAM rules are a manual and not particularly scalable solution.  

Regards,
Simon

0 Kudos
1 Solution

Accepted Solutions
HristoGrigorov

Why not use fwaccel dos rate ... ?

View solution in original post

0 Kudos
3 Replies
Ruan_Kotze
Advisor

Hi Simon,

Not really, no.  Unless you disable implied rules and create rules in your access policy allowing control connections specifically.

A possible "hack" will be to use Geo Policy as that is applied just after anti-spoofing enforcement and before any "First" implied rules - but this is a feature that is actively being deprecated and you have to take steps to just make it visible in SmartConsole.  This also doesn't directly address your need to block from a list of malicious IPs.

Another option might be to do ACLs on the upstream router?  Either way, I feel your pain, I've had multiple similar scenarios where customers for example wanted to block or limit from where they accept VPN connections etc.

Regards,
Ruan

0 Kudos
HristoGrigorov

Why not use fwaccel dos rate ... ?

0 Kudos
PhoneBoy
Admin
Admin

The only way you can override this implied rule is via the fwaccel dos rate CLI command.
You can see an example here (though this is for Remote Access VPN): https://community.checkpoint.com/t5/Security-Gateways/Block-VPN-Traffic-by-Country/m-p/172695#M31396 

0 Kudos

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

Upcoming Events

    CheckMates Events