This website uses Cookies. Click Accept to agree to our website's cookie use as described in our Privacy Policy. Click Preferences to customize your cookie settings.
Accept
Reject
Preferences
ABOUT CHECKMATES CYBER SECURITY COMMUNITY & FAQ
Create a Post
Help
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

Are you a member of CheckMates?

×
Sign in with your Check Point UserCenter/PartnerMap account to access more great content and get a chance to win some Apple AirPods! If you don't have an account, create one now for free!
Ruan_Kotze
Advisor
Tuesday

Suspicious traffic passed through Implied Rule - accept_outgoing

Hi All,

I'm investigating an issue that I can't quite get my head wrapped around.

As part of our CP estate we have an OpenServer acting as an explicit proxy. This works well for the most part, but our SOC team has flagged traffic being allowed by an implicit rule. Properties generally looks like this

Source: External IP of Proxy
Destination: Random public IP's
Port: 80 and 443 for the most part. Also TCP 3478 and other non-check point ports
Rule: 0
Rule name: Implied Rule - accept_outgoing (after enabling additional implied rule logging as per sk110218)
Source User: Blank (even though our actual policies are identity based)

I understand that there is traffic that needs to be allowed by the Implied rules, but what I do not understand is why for example TCP 3478 (and several other TCP ports) is being passed?

Any insight appreciated. I've not really supported any proxy deployments before, so perhaps that is adding to my confusion:-).

Thanks,
Ruan

0 Kudos
1 Reply
PhoneBoy
Admin
Admin
Tuesday

The 443 traffic is likely due to SNI verification, which occurs on ALL HTTPS traffic whether HTTPS Inspection is enabled or not.
Specifically, we make sure the SNI matches what the server provides as part of its certificate.
This requires a separate connection from the gateway.

Port 80 traffic is likely ThreatCloud lookups that occur from the gateway.

For the other ports, can't say for sure.
Are the ports in question allowed outbound and possibly being used for HTTPS?

0 Kudos

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

View All ≫
Upcoming Events

    CheckMates Events