External Gateway 80/443 and Implied Rules

VikingsFan

We're building a new R81.20 Take 76 cluster and have moved to the newer way of geo blocking and using the access rules instead of using the old geo block module. What we've noticed is that countries we're wanting to block are getting to 80/443 due to implied rules. I've dug through the forums and have tried everything I can find and I'm still seeing implied rules allowing traffic to our gateway IPs. What am I missing? Here are the things I've tried/done so far:

1. Went into the Global Properties and unchecked Accept Control Connections.

2. Went into the SAML Portal cluster property and set to 'According to Firewall Policy'

3. Followed sk180808 which I found from this other post and felt like would be the winner but it didn't work. It doesn't say I have to restart gateways but when I grep IMPLIED_RULES_SET_BEFORE_LAST $MDS_FWDIR/conf/cpmEnvVars.conf I get the proper value returned. Post: https://community.checkpoint.com/t5/Security-Gateways/Implied-rule-0-for-external-gw-interface-IP/m-...

Thanks!

Chris_Atkinson

Did you also try the other SK referenced there in the same thread.

Which kernel parameters did you set where - mgmt vs gw?

How does the policy look, using any layers etc?

CCSM R77/R80/ELITE

VikingsFan

Which SK, SK105740 ? I did follow that one up to changing the GUI settings. I did not play with the fw_ignore_before_drop_rules mentioned near the bottom.

On SK180808 I ran the two commands on the Mgmt and installed policy afterwards.

$MDS_FWDIR/scripts/reload_env_vars.sh -e "IMPLIED_RULES_SET_BEFORE_LAST=1"
$MDS_FWDIR/scripts/override_server_setting.sh -e IMPLIED_RULES_SET_BEFORE_LAST 1

Policy is simple. Single Security layer and first rule is the country geo block.

So recommended to try the fw_ignore_before_drop_rules kernel change on the two gateways in the cluster? If that works, do I need to back out the change made in SK180808?

Lesley

What stuff / blades you have enabled? Think about VPN clients, site to site VPN, MAB IA maybe GAIA portal on this port?

-------
If you like this post please give a thumbs up(kudo)! 🙂

VikingsFan

We have all blades except Mobile Access and Content Awareness enabled under 'Access Control' and Everything under Advanced except QOS. I can try the fw_ignore_before_drop_rules but was waiting to see if Chris confirmed.

Lesley

Do not block 443 you will break vpn clients, see also https://support.checkpoint.com/results/sk/sk52421

-------
If you like this post please give a thumbs up(kudo)! 🙂

VikingsFan

Understood. I don't want to completely block 443. I'm attempting to Geo Block via the Access Policy but implied rules are letting in China/Russia to 80/443. I want to block them. I have an allow rule underneath allowing from everyone else.

Lesley

you also changed to policy in here? SmartConsole > Platform Portal > Accessibility > Edit.

-------
If you like this post please give a thumbs up(kudo)! 🙂

CheckPointerXL

Did you evaluate fwaccel dos rules? https://community.checkpoint.com/t5/Security-Gateways/Block-VPN-Traffic-by-Country/td-p/172695

As a possible workaround, dnat pubblic to fake ip by sourcing the country could be an option...not sure it's a working method

Are you a member of CheckMates?

External Gateway 80/443 and Implied Rules