- CheckMates
- :
- Products
- :
- Quantum
- :
- Security Gateways
- :
- Re: I am curious about the policy matching logic.
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark
- Subscribe
- Mute
- Printer Friendly Page
Are you a member of CheckMates?
×- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I am curious about the policy matching logic.
Hi
I'm curious about check point's policy matching method.
Let's take an example
As shown below, sip and custom-made udp-5060 were included in one policy.
So which of the following two ports does the checkpoint match to?
As far as I know, Service is Any, and if there is a port conflict due to the 'match for any' option, it is determined randomly when installing the policy.
However, I cannot find any explanation as to the order in which they are matched when two conflicting ports are added to one policy.
If you know the policy matching logic or have any SK involved, please let me know
Have a nice day and I'll wait for your reply.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
take a look here for VOIP
https://support.checkpoint.com/results/sk/sk95369
ATRG: VoIP
Check the topology and all details. Extra attentions to the rules according to your scenario and ports used.
Special attention to the following quotations:
"
Do not use this service in the same rule with the 'XXXXXX' service (because they contradict each other).
...
Best regards
"
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
R81.20 Quantum Security Management Administration Guide - Rule Matching in the Access Control Policy
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
You mean one rule?
The multiple "Match for Any" rules behavior is documented: https://support.checkpoint.com/results/sk/sk150553
I assume it is similar when you add the services to the rule explicitly as well (i.e. it's random).