This website uses Cookies. Click Accept to agree to our website's cookie use as described in our Privacy Policy. Click Preferences to customize your cookie settings.
Accept
Reject
Preferences
ABOUT CHECKMATES CYBER SECURITY COMMUNITY & FAQ
Create a Post
Help
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

Are you a member of CheckMates?

×
Sign in with your Check Point UserCenter/PartnerMap account to access more great content and get a chance to win some Apple AirPods! If you don't have an account, create one now for free!
nemezis_rock
Contributor
‎2023-07-20 12:24 AM
Jump to solution

Implied Rules accepting HTTP/HTTPS traffic. How to disable that rule?

When publishing services via Reverse Proxy and creating access rule like:

Source: External IP
Dst: Domain object .test.domain.com
Service: http, https
Action: Accept

- it works actually and traffic from source goes through this rule.

BUT!

Any other sources also passes and goes to test.domain.com through Implied Rule 0.

Any suggections regarding how to block/disable/delete that RULE wich accepts HTTP/HTTPS traffic.

When changing the Action to Drop it also uses Implied Rule to bypass......................................

 
 
0 Kudos
2 Solutions

Accepted Solutions
nemezis_rock
Contributor
‎2023-07-24 06:29 AM
In response to Wolfgang
Jump to solution

Dear @Wolfgang ,

As I said Implied Rule was the problem)

And https://support.checkpoint.com/results/sk/sk105740 helped me. Now I can give access to my Reverse Proxied services via Security Policies!

Hope it will work for you too!

But the only thing, how will it affect on GW? Can some expert give an opinion?

View solution in original post

0 Kudos
nemezis_rock
Contributor
‎2023-08-10 04:20 AM
In response to Wolfgang
Jump to solution

Proxy Rules are simple. Just published some test123.mydomain.com and pointed it to internal server:reverseproxyrule.png

The main point here is to be able to restrict access to test123.mydomain.com. I've created domain object called .test123.mydomain.com. After, added new security access policy:

Source: US (updatable object or anything you want)
Destination: Domain Object (.test123.mydomain.com)
Application: HTTP/HTTPS
Action: Accept

Cleanup Rule: Drop All

With this configuration any http request from US ip addresses to test123.mydomain.com are accepted. Any others are dropped.

View solution in original post

0 Kudos
12 Replies
_Val_
Admin
Admin
‎2023-07-20 12:33 AM
Jump to solution

First, Temur, an admin note. This is a professional forum, please try expressing yourself in a more professional manner.

Do you have a proper cleanup rule in your policy? How does your access policy actually look?

0 Kudos
nemezis_rock
Contributor
‎2023-07-20 01:35 AM
In response to _Val_
Jump to solution

Dear @_Val_ ,

Thank you for reply.

I did not find clear information about Reverse Proxy, there is a little information regarding how to enable it, create proxy rules and Nothing about access rules. So I started to get nervous. Also Access Rules are working in strange manner. Read carefully what I wrote.

Incoming HTTP/HTTPS requests to Services Published via Reverse Proxy (example.mydomain.com --> internal.server:443) bypasses Access Rule via Implied Rule.

0 Kudos
_Val_
Admin
Admin
‎2023-07-20 02:18 AM
In response to nemezis_rock
Jump to solution

I do read very carefully what you wrote. 

The reverse proxy is a functionality of Mobile Access Blade, and it is well documented in the standard admin guide (example) and in the SecureKnowled article. It is okay that it accepts web connections according to the proxy rules, on the implied rule 0. 

However, you are claiming in your case services other than HTTP/HTTPS are also accepted on Rule 0. If this is indeed the case, please show logs. Also, if it happens, there are only two possibilities: either your Access Policy, or Proxy Policy, is misconfigured.


0 Kudos
nemezis_rock
Contributor
‎2023-07-20 02:02 AM
In response to _Val_
Jump to solution

I've send you PM where I provided screenshots and more detailed information, Thanks.

0 Kudos
Tal_Paz-Fridman
Employee
Employee
‎2023-07-20 02:15 AM
In response to nemezis_rock
Jump to solution

For how to handle Implied rules bypassing HTTP/HTTPS there are a couple of SKs you can use:

sk66030 Connection to Security Gateway on TCP Port 80 and TCP Port 443 is accepted by Implied Rule 0:

https://support.checkpoint.com/results/sk/sk66030

 

sk180808 Security Gateway accepts HTTP/HTTPS traffic by an implied rule for its HTTP/HTTPS Web Portals, although there is an explicit rule that drops this HTTP/HTTPS traffic

https://support.checkpoint.com/results/sk/sk180808 

 

There are also several SKs explaining how to configure Reverse Proxy

0 Kudos
nemezis_rock
Contributor
‎2023-07-20 10:59 AM
In response to Tal_Paz-Fridman
Jump to solution

Hi @Tal_Paz-Fridman 

Thank you so much for provided sk's. First sk66030 is not relevant for me. I have R81.10 with JHF take 95. So i tried to use the second sk180808. When I performed Configure the value "1" for the new environment variable: 

  1. $MDS_FWDIR/scripts/reload_env_vars.sh -e "IMPLIED_RULES_SET_BEFORE_LAST=1"

  2. $MDS_FWDIR/scripts/override_server_setting.sh -e IMPLIED_RULES_SET_BEFORE_LAST 1

I got expected output:

Make sure the new variable value is loaded successfully:

grep IMPLIED_RULES_SET_BEFORE_LAST $MDS_FWDIR/conf/cpmEnvVars.conf

Expected output:

IMPLIED_RULES_SET_BEFORE_LAST=1;export IMPLIED_RULES_SET_BEFORE_LAST

But it's not worked for me. It passes traffic via Implied Rule.

Should this command - grep IMPLIED_RULES_SET_BEFORE_LAST $MDS_FWDIR/conf/cpmEnvVars.conf -give the same output when it's performed on GWs after policy installation? If so, then it did not work, because I got an empty response after putting command on GW. Is it ok if i will try to do same steps on GWs?

 

 
0 Kudos
Wolfgang
Authority
Authority
‎2023-07-20 11:17 AM
In response to nemezis_rock
Jump to solution

@nemezis_rock I understand your way to solve your problem. But as I wrote in my PM you can‘t use access rules to restrict access for Reverse Proxy rules.

nemezis_rock
Contributor
‎2023-07-24 06:29 AM
In response to Wolfgang
Jump to solution

Dear @Wolfgang ,

As I said Implied Rule was the problem)

And https://support.checkpoint.com/results/sk/sk105740 helped me. Now I can give access to my Reverse Proxied services via Security Policies!

Hope it will work for you too!

But the only thing, how will it affect on GW? Can some expert give an opinion?

0 Kudos
Wolfgang
Authority
Authority
‎2023-07-25 11:35 AM
In response to nemezis_rock
Jump to solution

@nemezis_rock can you please share your ReverseProxy rules and the security policy. It will be very interesting how you solved the problem.

0 Kudos
nemezis_rock
Contributor
‎2023-08-10 04:20 AM
In response to Wolfgang
Jump to solution

Proxy Rules are simple. Just published some test123.mydomain.com and pointed it to internal server:reverseproxyrule.png

The main point here is to be able to restrict access to test123.mydomain.com. I've created domain object called .test123.mydomain.com. After, added new security access policy:

Source: US (updatable object or anything you want)
Destination: Domain Object (.test123.mydomain.com)
Application: HTTP/HTTPS
Action: Accept

Cleanup Rule: Drop All

With this configuration any http request from US ip addresses to test123.mydomain.com are accepted. Any others are dropped.

0 Kudos
Wolfgang
Authority
Authority
‎2023-08-16 11:18 PM
In response to nemezis_rock
Jump to solution

Thanks for sharing @nemezis_rock 

I understand your solution and it's working for one URL. But with more then one this does not solve your initial question. ReverseProxy does only work on the main IP of the MOB-blade. All requests they should be handled by Reverseproxy must be sent to this IP. Meaning that every FQDN you will have to forwarded has to point to this IPaddress.

You can have more then one FQDN pointing to the same IP address. But if you use this FQDNs with an domainobject (FQDN enabled) int he rulebase they are always refenced to the same IP. As an result all your requests will be matched by your first rule with the domain object. The gateway creates the FQDN-IP address association at time of policy install and after a periodic time.

Another thing to be aware. With ReverseProxy you have to connections on the gateway:

External host => ReverseProxy on gateway

ReverseProxy on gateway => internal host

The internal host does not see the IP address of the external host, the connection from gateway to internal host has source IP of the gateways internal interface.

There's a main difference beetween the handling of FQDN objects and the URLs. I think what you need is an incoming URL-Filter rulebase for your ReverseProxy connections. But this is something what does not work with CheckPoints ReverseProxy solution.

 

0 Kudos
PhoneBoy
Admin
Admin
‎2023-07-24 01:39 PM
In response to nemezis_rock
Jump to solution

To answer your question about  grep IMPLIED_RULES_SET_BEFORE_LAST $MDS_FWDIR/conf/cpmEnvVars.conf being viewable on a gateway: no.
These are flags set for the cpm process, which only exists on the management and will impact policy compilation.

0 Kudos

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

View All ≫
Upcoming Events

    CheckMates Events