This website uses Cookies. Click Accept to agree to our website's cookie use as described in our Privacy Policy. Click Preferences to customize your cookie settings.
Accept
Reject
Preferences
ABOUT CHECKMATES CYBER SECURITY COMMUNITY & FAQ
Create a Post
Help
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

Are you a member of CheckMates?

×
Sign in with your Check Point UserCenter/PartnerMap account to access more great content and get a chance to win some Apple AirPods! If you don't have an account, create one now for free!
Graham1
Contributor
‎2023-09-19 11:21 AM
Jump to solution

Strange service match for firewall rules

I am witnessing a strange matching situation, and trying to find out if this is expected.

We splitting our Servers to a new VLAN (long overdue and don't get me started).  

I have created a new rule:
src: 10.95.20.0/24
dst: 10.95.0.0/20
svc: Active Directory Application
action: Accept

This rule is just below:
src: 10.95.20.0/24
dst: 10.95.0.0/20
svc: (Negate) Active Directory Application
action: Accept

I am find that the logs for rule 4 are matching for tcp/389, eventhough it should match rule 3.

fw up_execute src=10.95.20.20 ipp=6 dport=389 dst=10.95.0.71
Rulebase execution ended successfully.
Overall status:
----------------
Active clob mask: 2
Required clob mask: 2
Match status: POSSIBLE
Match action: Accept

Per Layer:
------------
Layer name: Std-EXTFW1 Network
Layer id: 0
Match status: POSSIBLE
Match action: Accept
Possible rules: 1 3 4 16777215

The Active Directory Application object is using recommended Match Settings.  According to what I read in documentation, it should be working under rule 3.

Am I missing something major?

Thanks in advance.

0 Kudos
1 Solution

Accepted Solutions
PhoneBoy
Admin
Admin
‎2023-09-19 01:25 PM
In response to Graham1
Jump to solution

The rules don't overlap, the issue is the signature isn't matching everything for whatever reason.
Easiest way to resolve this is to use a group of simple TCP/UDP services instead of the Active Directory signature.

View solution in original post

0 Kudos
6 Replies
Wolfgang
Authority
Authority
‎2023-09-19 12:25 PM
Jump to solution

@Graham1 one simple question to start…. How about the policy install after adding the new rule, done ?

PhoneBoy
Admin
Admin
‎2023-09-19 12:27 PM
Jump to solution

The Active Directory application requires more than one packet to match successfully.
Apparently, the relevant traffic isn't matching the signature, which is why it is falling through to the next rule.
To fully understand why, you would need to take packet captures and open a TAC case: https://help.checkpoint.com 
In this case, you should use the LDAP service (TCP 389), which will match on the first packet. 

the_rock
Legend
Legend
‎2023-09-19 12:43 PM
Jump to solution

My personal experience with fw up_execute command is, lets just put it bluntly, very inconsistent. I find it works properly MAYBE 50% of the time, so I would not rely on it too much. 

What do you see in the logs?

Andy

Graham1
Contributor
‎2023-09-19 01:09 PM
In response to the_rock
Jump to solution

@Wolfgang Yes this policy is installed and active.

@PhoneBoy I have already tried support and their suggestion is to remove rule 4 since it is overlapping rule 3.  I just didn't think it should be "inconsistent" in the is way.  What you are saying does make sense however

@the_rock The logs confirm what fw up_execute confirm what the logs are saying in that some packets are matched by rule 3 and other packets are match by rule 4.  all on tcp/389

I guess my only re-course in the instance is to create a service group with the match services in the app object.

0 Kudos
the_rock
Legend
Legend
‎2023-09-19 01:11 PM
In response to Graham1
Jump to solution

I know sometimes disabling/re-enabling rule can also work, just remember to install policy after every change.

Andy

0 Kudos
PhoneBoy
Admin
Admin
‎2023-09-19 01:25 PM
In response to Graham1
Jump to solution

The rules don't overlap, the issue is the signature isn't matching everything for whatever reason.
Easiest way to resolve this is to use a group of simple TCP/UDP services instead of the Active Directory signature.

0 Kudos

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

View All ≫
Upcoming Events

    Sort by:
    CheckMates Events