This website uses Cookies. Click Accept to agree to our website's cookie use as described in our Privacy Policy. Click Preferences to customize your cookie settings.
Accept
Reject
Preferences
ABOUT CHECKMATES CYBER SECURITY COMMUNITY & FAQ
Create a Post
Help
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

Are you a member of CheckMates?

×
Sign in with your Check Point UserCenter/PartnerMap account to access more great content and get a chance to win some Apple AirPods! If you don't have an account, create one now for free!
Capt_Mundo
Participant
‎2023-07-29 11:14 PM

IMPLIED RULE NUMBER 0

Hi Admin,

 

I have a question. What does implied rule number 0 means? When a traffic is accepted and logged via Implied Rule number 0, does that mean the traffic has a session? 

Thanks

0 Kudos
7 Replies
Chris_Atkinson
MVP Platinum CHKP MVP Platinum CHKP
MVP Platinum CHKP
‎2023-07-30 12:48 AM

The following resources should help with your understanding:

https://sc1.checkpoint.com/documents/R81/WebAdminGuides/EN/CP_R81_SecurityManagement_AdminGuide/Topi...

https://support.checkpoint.com/results/sk/sk17745

CCSM R77/R80/ELITE
0 Kudos
kristen09
Explorer
‎2023-08-01 02:01 AM

@Capt_Mundo wrote: LiveTheOrangeLife

Hi Admin,

I have a question. What does implied rule number 0 means? When a traffic is accepted and logged via Implied Rule number 0, does that mean the traffic has a session? 

Thanks

Hello,

Implied Rule number 0 is a concept used in some firewall configurations. It refers to the default rule that allows traffic that doesn't match any explicit rules to be accepted and logged. When traffic is accepted and logged via Implied Rule number 0, it means that the firewall allowed the traffic because there was no specific rule to block it.

I hope this may be right answer. 

Best regard,

Kristen

0 Kudos
(1)
DBS
Explorer
‎2024-02-08 09:03 PM
In response to kristen09

Handy to know

0 Kudos
hilalwani
Explorer
‎2024-03-06 01:04 AM
In response to DBS

I have a stealth rule in place which is blocking outside to inside unknown traffic. but yesterday morning the firewall received a traffic from an unknown malware site and accepted/passed that malware site through an implied rule. I wonder how is it possible.

0 Kudos
G_W_Albrecht
MVP Silver
MVP Silver
‎2024-03-06 01:20 AM
In response to kristen09

The last sentence is not true - when traffic is accepted and logged via Implied Rule, no further inspection by the FW is done, no matter if there is a specific rule to block it or not. Sounds like ChatGPT to me...

 

CCSP - CCSE / CCTE / CTPS / CCME / CCSM Elite / SMB Specialist
RamGuy239
MVP Silver
MVP Silver
‎2024-10-10 03:09 AM
In response to kristen09

I know this is a old post. But I just wanted to correct the above statement:

When traffic is accepted and logged via Implied Rule number 0, it means that the firewall allowed the traffic because there was no specific rule to block it.

 

This is not the case, at least not with Check Point. Implied Rules on Check Point will match as rule 0, that is correct. But as the name implies, rule 0 comes before your explicit rules. This traffic won't get blocked by you creating rules to block it, as the traffic will always match rule 0 first.

:18190 for instance is SIC and is accepted in implied rules by default as part of "Control Connections". Unless you override and disable this, you won't be able to block TCP-18190. Even if you create rule 1 saying src:any, dst:any, service:tcp-18190, action:drop, you would still not be dropping any TCP-18190 traffic, because it's matching and being accepted in rule 0.

Certifications: CCSA, CCSE, CCSM, CCSM ELITE, CCTA, CCTE, CCVS, CCME
_Val_
Admin
Admin
‎2024-10-10 03:14 AM
In response to RamGuy239

absolutely right

0 Kudos

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

View All ≫
Upcoming Events

    CheckMates Events