This website uses cookies. By clicking Accept, you consent to the use of cookies. Click Here to learn more about how we use cookies.
Accept
Reject
ABOUT CHECKMATES & FAQ
Create a Post
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Help

Are you a member of CheckMates?

×
Sign in with your Check Point UserCenter/PartnerMap account to access more great content and get a chance to win some Apple AirPods! If you don't have an account, create one now for free!
Sunray
Explorer
‎2022-01-17 09:05 AM

Implied rule override explicit rule

We have enabled above option as "before last" & after checking logs we are getting random ip's are still trying to connect external DNS servers.even though we have explicit rule configured for our internal DNS. Would like to know as per behaviour all DNS logs should hit to explicit rule, but not occurring in this scenario.

anyone  provide me answer why external DNS request's are hitting over Implied rules (Configrued as "before last" under global properties)

even when an explicit rule has priority.

 

HOTFIX_R80_40_JUMBO_HF_MAIN Take: 125

Preview file
63 KB
0 Kudos
4 Replies
Chris_Atkinson
Employee
Employee
‎2022-01-17 11:27 PM

To clarify you have configured a rule specifically to "drop" this DNS traffic higher in the policy that is not matching?

Perhaps it is easier to work this with TAC if you're uncomfortable with showing the relevant policy rules & log card detail here. 

0 Kudos
Sunray
Explorer
‎2022-01-18 01:24 AM
In response to Chris_Atkinson

Hello Chris,

 

I had allowed in any for all DNS traffic in explicit rule on higher priority but still traffic for external DNS hitting implicit rule.

0 Kudos
Chris_Atkinson
Employee
Employee
‎2022-01-18 02:08 AM
In response to Sunray

As above please provide more details of the policy, log card & matched rules tab so we can help.  

0 Kudos
Sunray
Explorer
‎2022-01-19 07:25 AM
In response to Chris_Atkinson

Hello Chris

Getting SOA packet for which Implied rule action accept. I have attached all logs

These are VPN user 10.0.0.0 IP range some user hitting external DNS with SOA packet.

We are planning to disable Global Properties "Accept Domain Name over UDP (Queries )" will it impact legitimate traffic.

Preview file
1165 KB
Preview file
662 KB
Preview file
1251 KB
0 Kudos