Explicit proxy traffic accepted via implied rule 0

Undel · ‎2021-07-02

Hello.

We have R80.40 installation (SMS + GW Cluster), which was migrated from R77.30.

This GW cluster is set up as explicit proxy for some clients.

We have 2 ordered layers: Security and Application.

On both layers we have a rule that allow traffic from client hosts to GW cluster via ports 8080 and 3128 (HTTP &HTTPS proxy and Squid_NTLM).

On Application layer we have rules that allow traffic from client hosts to Intetrnet with specified URLs and applications.

Everything was fine on version R77.30, but after migration we have an issue:

Traffic received by Checkpoint proxy is forwarded to Internet without enforcing URL filtering policy.

I can see in logs 2 different events:

1) Traffic from client host to Checkpoint proxy (port 3128 and 8080) is accepted by correct rules on Security and Application layer (event type Firewall)

2) Traffic from GW to external web resource is accepted on Security layer with Implied rule 0 and no checks on Application layer is performed.

I've tried to disable in Global policy "Accept outgoing packets originating from security gateway" parameter and create separate explicit rule to allow GW cluster to communicate with "Any" destinations.

I've checked according to sk112939 "Enable HTTP inspection on non standard ports for the Application Control & URL Filtering Blades" - we have it turned on, but it's not helping.

I've checked Implicit cleanup settings on Security and Application layers - both are set to "Drop".

I've checked Implicit rules in $FWDIR/state/local/FW1/local.implied_rules - there is no rule with ID 0.

I've rebooted SMS and reinstalled the policy - no effect.

Please, can anyone tell me why we are getting this implied rule here? How can we enforce URL filtering policy on proxied traffic again?

G_W_Albrecht · ‎2021-07-02

sk110013 - How to configure Check Point Security Gateway as HTTP/HTTPS Proxy has a comment that seems relevant:

Application & URL Filtering with a single interface

When Security Gateway is configured as HTTP/HTTPS Proxy with a single interface, define the relevant rules in 'Application & URL Filtering' policy as follows: Source - 'Any'; Destination - 'Any'.

Refer to sk80340 Applications and/or URL Filtering Categories are not blocked when Security Gateway is config....

CCSP - CCSE / CCTE / CTPS / CCME / CCSM Elite / SMB Specialist

Undel · ‎2021-07-05

I don't get it.

If we make URL filtering rules with source:Any and destination:Any - how can we block or deny something for specific users,groups, hosts,networks?

Wolfgang · ‎2021-07-05

@G_W_Albrecht mentioned behaviour is problematic with "Internet" as destination. You can use any as destination and defining your "URLs" in the service/application field.

As another solution you can define your Application-layer rule with source your_client_networks and destination your proxy_IP and your "URLs" in the service/application field.

In my opinion I would suggest creating a new layer for "Application/URL-filter" and add them as inline layer to the rule allowing the traffic from clients to the proxy.

AykutYILMAZ · ‎2021-12-22

Hi,

Any updates this topic? we are facing same problem after upgrade.

Thanks.

_Mike_ · ‎2022-01-24

Curious if you figured out a solution/fix for this one as I am in a similar boat.

Are you a member of CheckMates?

Explicit proxy traffic accepted via implied rule 0