This website uses Cookies. Click Accept to agree to our website's cookie use as described in our Privacy Policy. Click Preferences to customize your cookie settings.
Accept
Reject
Preferences
ABOUT CHECKMATES CYBER SECURITY COMMUNITY & FAQ
Create a Post
Help
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

Are you a member of CheckMates?

×
Sign in with your Check Point UserCenter/PartnerMap account to access more great content and get a chance to win some Apple AirPods! If you don't have an account, create one now for free!
nemezis_rock
Contributor
‎2023-07-19 06:21 AM

Reverse Proxy + Access Rules

Hi all,

How to restrict access to services that were published via Reverse Proxy? Can someone provide exmaple configuration?

I've already played with Access Rules after checking box Unified Access Policy. But access policy not working. 

Attaching log file showing that rules not working. It is just passing traffic according empty rule... Im confused. 

Preview file
14 KB
0 Kudos
4 Replies
the_rock
Legend
Legend
‎2023-07-19 06:53 AM

What exact services are you trying to block? Can you send a screenshot of the rule you created? Please blur out any sensitive info.

Andy

0 Kudos
nemezis_rock
Contributor
‎2023-07-19 09:29 PM
In response to the_rock

Block services? Nope.

I've published services via Reverse Proxy:

1. Service 1: https://example1.domain.com/  ---> internal.server.com:8080

2. Service 2: https://example2.domain.com/  ---> anotherinternal.server.com:80

So, when there is an external requests to subdomain Service1 it proxies to internal service. I want to create access rule for that https://*.domain.com   services. For example, Group of external IP addresses have access to example1.domain.com, or only US IP addresses (Updatable object) have access to example2.domain.com and etc.

 
0 Kudos
PhoneBoy
Admin
Admin
‎2023-07-20 05:48 AM
In response to nemezis_rock

When you say "Reverse Proxy" are you referring to the configuration here? https://support.checkpoint.com/results/sk/sk110348
More details on exactly what you've configured will help.

0 Kudos
nemezis_rock
Contributor
‎2023-07-20 06:02 AM
In response to PhoneBoy

Dear @PhoneBoy ,

Thank you for reply, and

Of course I read some topics, how would I publish web service via ReverseProxy without reading docs?

I have published web service:proxyrule.png

And it works fine, it published and I can access it from internet. But I want also create some Access Rules for published services and give access only known hosts from internet. Some of checkmaters are saying that it is not possible. But,

After playing with rules and analyzing it, i noticed that Access Rules working but Partially

When you create Accept rule for ExternalIP and dst test.domain.com, traffic goes through that rule. But other External IPs goes through Implied Access Rule 0:

nemezis_rock_0-1689858073026.png

 

 

So traffic goes in this order i believe:

nemezis_rock_1-1689858073081.png

 

 

It just cant reach drop rule. If there is any way to disable implied rule, or move the order of Accept rule of Implied Rule and place it after Drop Rule of Access Policy it will work i think.

 

0 Kudos

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

View All ≫
Upcoming Events

    Sort by:
    CheckMates Events