This website uses Cookies. Click Accept to agree to our website's cookie use as described in our Privacy Policy. Click Preferences to customize your cookie settings.
Accept
Reject
Preferences
ABOUT CHECKMATES CYBER SECURITY COMMUNITY & FAQ
Create a Post
Help
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

Are you a member of CheckMates?

×
Sign in with your Check Point UserCenter/PartnerMap account to access more great content and get a chance to win some Apple AirPods! If you don't have an account, create one now for free!
LostBoY
Advisor
‎2022-02-15 08:59 AM
Jump to solution

Gateway to any destination access rule

I have an ACL rule which allows access from Gateway towards any destination on Https and DNS ports..i am using this for Gateway updates.

In a recent audit ..auditor is asking why "any" access is allowed here .. i remember speaking with a Checkpoint engineer some time back and he stated that Gateway to any access is not an issue in an ACL on specific ports .. is there any documentation in support of this ? or do i need to harden this rule ?

0 Kudos
2 Solutions

Accepted Solutions
K_montalvo
Advisor
‎2022-02-15 12:16 PM
Jump to solution

Hello buddy,

Here, you can use updatable objects and needs to have access to these specific domains updates.checkpoint.com and dl3.checkpoint.com (apply these rule in top of the existing one with any and tested checking for updates, confirm the new rule logged the traffic and see if theres any other traffic that's being logged on the old rule that stills need to be permitted creating another new rule, if no traffic is logged for 48 hours then > disabled that rule for 1 week and if no issues has been presented deleted.

Always remember to take snapshot in

https://supportcenter.checkpoint.com/supportcenter/portal?eventSubmit_doGoviewsolutiondetails=&solut...

P.D

Like my buddy @the_rock mentioned that all depends on the regulation you need to be in compliance or any internal company policy that does not permit the famous "nefarius any rules" AKA High Risk.

Hope it helps!

View solution in original post

Danny
MVP Platinum
MVP Platinum
‎2022-02-15 02:13 PM
Jump to solution

"Any" definitions shouldn't be used in firewall security policies as "Any" doesn't make clear what is actually meant. "Any" is not just the Internet, it's also all internal, DMZ, VPN partners, Home Offices and more. "Any" can also be different depending of the firewall vendor as some have exclusions from "Any", others work with a Zone-based model and define "Any" only for lower security zones, and so on... 

I recommend to check your real demand. You wrote: "i am using this for Gateway updates". Define what that means. If your firewall updates time via DNS from an internal DNS server only, you should replace "Any" with that specific internal object/range/network. If your firewall updates via HTTPS from the internet, then "Any" should be replaced with your object representing the internet.

Additional resources:

View solution in original post

8 Replies
the_rock
MVP Platinum
MVP Platinum
‎2022-02-15 09:17 AM
Jump to solution

That can certainly be debated...if support told you that sort of rule is not an issue, it really depends what context they may had been referring to. Personally, but this is just me, I would make sure that access from external to the firewall is hardened and configured as per your corporate policy, but as far as other way around, I dont see logical reasoning why you would have rule like that. Is there something specific that your firewall has to reach to? 

Best,
Andy
K_montalvo
Advisor
‎2022-02-15 12:16 PM
Jump to solution

Hello buddy,

Here, you can use updatable objects and needs to have access to these specific domains updates.checkpoint.com and dl3.checkpoint.com (apply these rule in top of the existing one with any and tested checking for updates, confirm the new rule logged the traffic and see if theres any other traffic that's being logged on the old rule that stills need to be permitted creating another new rule, if no traffic is logged for 48 hours then > disabled that rule for 1 week and if no issues has been presented deleted.

Always remember to take snapshot in

https://supportcenter.checkpoint.com/supportcenter/portal?eventSubmit_doGoviewsolutiondetails=&solut...

P.D

Like my buddy @the_rock mentioned that all depends on the regulation you need to be in compliance or any internal company policy that does not permit the famous "nefarius any rules" AKA High Risk.

Hope it helps!

LostBoY
Advisor
‎2022-02-15 11:39 PM
In response to K_montalvo
Jump to solution

Thank you ..i think i have 2 options here looking at this 

1)allow updatable checkpoint update object 

2)Enable Update via proxy

This will help to get around this any rule.. Thanks again for the guidance

the_rock
MVP Platinum
MVP Platinum
‎2022-02-15 12:53 PM
Jump to solution

Also, I believe its related to your earlier post on sort of same topic...

https://community.checkpoint.com/t5/Security-Gateways/Disable-Outgoing-Packets-from-Gateway/m-p/1404...

Best,
Andy
LostBoY
Advisor
‎2022-02-15 11:36 PM
In response to the_rock
Jump to solution

Yes..in this post i was trying to get around the implicit rule in place..and this is the reason i was exploring an explicit rule possibility but i get your point here..i can harden the destinations to be reached

0 Kudos
Danny
MVP Platinum
MVP Platinum
‎2022-02-15 02:13 PM
Jump to solution

"Any" definitions shouldn't be used in firewall security policies as "Any" doesn't make clear what is actually meant. "Any" is not just the Internet, it's also all internal, DMZ, VPN partners, Home Offices and more. "Any" can also be different depending of the firewall vendor as some have exclusions from "Any", others work with a Zone-based model and define "Any" only for lower security zones, and so on... 

I recommend to check your real demand. You wrote: "i am using this for Gateway updates". Define what that means. If your firewall updates time via DNS from an internal DNS server only, you should replace "Any" with that specific internal object/range/network. If your firewall updates via HTTPS from the internet, then "Any" should be replaced with your object representing the internet.

Additional resources:

LostBoY
Advisor
‎2022-02-15 11:38 PM
In response to Danny
Jump to solution

Got your point...i have been observing the logs since yesterday and as it is an AWS firewall it is reaching to AWS DNS for name resolution and for updates i can direct it to an interal proxy hence mitingating this "any"

0 Kudos
the_rock
MVP Platinum
MVP Platinum
‎2022-02-15 03:15 PM
Jump to solution

@Danny , as always, gave you FANTASTIC guidance. He is 100% correct...yes, Im positive that all of us are "guilty" of using "any" in the rules way more than what we should, but he makes an excellent point. Any can represent, dmz, internal, external, anything on the Internet, whole "kit & caboodle". Honestly, I would strongly urge you to make use of security zones available in R80+. Create layered sections that represent specific zones (dmz, internal, external) and that way, your rule base will be way more secure.

Andy

Best,
Andy

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

View All ≫
Upcoming Events

    Sort by:
    CheckMates Events