This website uses Cookies. Click Accept to agree to our website's cookie use as described in our Privacy Policy. Click Preferences to customize your cookie settings.
Accept
Reject
Preferences
ABOUT CHECKMATES CYBER SECURITY COMMUNITY & FAQ
Create a Post
Help
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

Are you a member of CheckMates?

×
Sign in with your Check Point UserCenter/PartnerMap account to access more great content and get a chance to win some Apple AirPods! If you don't have an account, create one now for free!
Kid555
Participant
‎2023-07-07 08:11 PM
Jump to solution

Implied rule 0 for external gw interface IP

Hi All,

We have an issue where external IPs are allowed to access my gateway.

We tried the KB below, where we change it to "Through internal interfaces" but the traffic is still allowed.

https://support.checkpoint.com/results/sk/sk105740

 

We also tried the sk105740, we have followed this alternative solution to adding the IOC IP address into the SAM rule but however, the issue is not resolved. 

SAM rule.png

 

 

 

Refer to the attached log that shows external IP allowed to my external Gateway IP via port 443

Preview file
78 KB
0 Kudos
1 Solution

Accepted Solutions
YosiHavilo
Employee
Employee
‎2023-07-11 08:55 AM
In response to Tal_Paz-Fridman
Jump to solution

Regarding sk180808

It can be http or https , i will ask to fix the Sk .

i will explain a bit about the 2 options :

Currently there are 2 "before drop" implied rules, both implied rules can allow connections to the Security Gateway on port 443 or 80

  1. enable_portal_http (MULTIPORTAL)
  2. enable_tcpt (TCP_TUNNELING)

 

it mean that in case we have a drop we check if we match the implied rule 

in  sk180808 , you can change the before drop to before last 

it mean that in case this connection is drop on the rulebase (except the cleanup rule)  , GW will drop the connection , in case the connection hit the cleanup rule,  we will  see if it match the implied rule .

when you use the fw_ignore_before_drop_rules , this is like you disable both rules 

in this case you must create an implicit rule instead of the implied rule .

 

 

 

 

View solution in original post

0 Kudos
18 Replies
PhoneBoy
Admin
Admin
‎2023-07-07 10:44 PM
Jump to solution

How precisely did you “add the IOC IP address into the SAM rule”?
Did you try setting fw_ignore_before_drop_rules?
Instead of a SAM rule, you can use: https://support.checkpoint.com/results/sk/sk112454

 

Kid555
Participant
‎2023-07-08 03:15 PM
In response to PhoneBoy
Jump to solution

fw_ignore_before_drop_rules

Does this cause any impact to my production or require any reboot? 

0 Kudos
PhoneBoy
Admin
Admin
‎2023-07-09 08:26 AM
In response to Kid555
Jump to solution

Should not, but as with any change, you may want to test it in a maintenance window. 

0 Kudos
Kid555
Participant
‎2023-07-09 04:38 PM
In response to PhoneBoy
Jump to solution

As per https://support.checkpoint.com/results/sk/sk105740. I don't see the steps to change the setting fw_ignore_before_drop_rules. Do you have the steps?

0 Kudos
PhoneBoy
Admin
Admin
‎2023-07-10 03:33 PM
In response to Kid555
Jump to solution

In the SK I linked, it says: to configure the parameter to survive reboot - refer to sk26202.
It also provides instructions to change on the fly.

0 Kudos
Tal_Paz-Fridman
Employee
Employee
‎2023-07-08 03:01 AM
Jump to solution

Please also look at sk180808 https://support.checkpoint.com/results/sk/sk180808

Security Gateway accepts HTTP traffic by an implied rule for its HTTP Web Portals, although there is an explicit rule that drops this HTTP traffic

0 Kudos
Kid555
Participant
‎2023-07-08 03:48 AM
In response to Tal_Paz-Fridman
Jump to solution

Hi, how about https traffic coming from the outside? From the sk, I see this is only for http

0 Kudos
Tal_Paz-Fridman
Employee
Employee
‎2023-07-08 10:17 AM
In response to Kid555
Jump to solution

I will ask the relevant owner to see what they can add.

0 Kudos
Kid555
Participant
‎2023-07-09 11:25 PM
In response to Tal_Paz-Fridman
Jump to solution

Hi, I check through. 

Based on this: https://support.checkpoint.com/results/sk/sk180808

 

What is the different between value 0 and 1. Seems like it is the same meaning

0 Kudos
Tal_Paz-Fridman
Employee
Employee
‎2023-07-09 11:37 PM
In response to Kid555
Jump to solution

Adding @YosiHavilo to answer

0 Kudos
YosiHavilo
Employee
Employee
‎2023-07-11 08:55 AM
In response to Tal_Paz-Fridman
Jump to solution

Regarding sk180808

It can be http or https , i will ask to fix the Sk .

i will explain a bit about the 2 options :

Currently there are 2 "before drop" implied rules, both implied rules can allow connections to the Security Gateway on port 443 or 80

  1. enable_portal_http (MULTIPORTAL)
  2. enable_tcpt (TCP_TUNNELING)

 

it mean that in case we have a drop we check if we match the implied rule 

in  sk180808 , you can change the before drop to before last 

it mean that in case this connection is drop on the rulebase (except the cleanup rule)  , GW will drop the connection , in case the connection hit the cleanup rule,  we will  see if it match the implied rule .

when you use the fw_ignore_before_drop_rules , this is like you disable both rules 

in this case you must create an implicit rule instead of the implied rule .

 

 

 

 

0 Kudos
Kid555
Participant
‎2023-07-12 12:40 AM
In response to YosiHavilo
Jump to solution

Hi Yosi,

for my understanding, am i right on the below,

Based on sk180808 , you can change the before drop (“0”) to before last (“1”).

If the value is “1”, when traffic hit onto one of the explicit drop rules (NOT the default cleanup rule), gateway will drop the connection.

If the value is “0”, when the traffic hit onto the default cleanup rule,  then it match the implied rule (multiportal).

 

 

0 Kudos
YosiHavilo
Employee
Employee
‎2023-07-12 01:50 AM
In response to Kid555
Jump to solution

If the value is “1”, when traffic hit onto one of the explicit drop rules (NOT the default cleanup rule), gateway will drop the connection ,when the traffic hit onto the default cleanup rule,  then it match the implied rule (multiportal)..

If the value is “0”, when the traffic drop rule,  then it match the implied rule (multiportal).

 

(1)
Kid555
Participant
‎2023-07-12 01:54 AM
In response to YosiHavilo
Jump to solution

"when the traffic hit onto the default cleanup rule,  then it match the implied rule (multiportal).."

For the above added, this only happens if I do not have an explicit drop rule (not the cleanup rule) right?

0 Kudos
YosiHavilo
Employee
Employee
‎2023-07-12 08:59 AM
In response to Kid555
Jump to solution

correct 

0 Kudos
Kid555
Participant
‎2023-07-12 04:41 PM
In response to YosiHavilo
Jump to solution

Understand! Can i also check if those commands work on R80.30 Take 251?

0 Kudos
_Val_
Admin
Admin
‎2023-07-10 01:46 AM
Jump to solution

Do you use any of the multi-portal features, including MAB? It might be, your features require HTTP/HTTPS access on the external interfaces.

0 Kudos
Kid555
Participant
‎2023-07-10 02:19 AM
In response to _Val_
Jump to solution

No I don't think so. But I tried follow this sk105740 to change the accessibility to "through internal interface" but I still see traffic allowed coming from external traffic to my external gateway.

 

0 Kudos

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

View All ≫
Upcoming Events

    Sort by:
    CheckMates Events