- Products
- Learn
- Local User Groups
- Partners
- More
Firewall Uptime, Reimagined
How AIOps Simplifies Operations and Prevents Outages
Introduction to Lakera:
Securing the AI Frontier!
Check Point Named Leader
2025 Gartner® Magic Quadrant™ for Hybrid Mesh Firewall
HTTPS Inspection
Help us to understand your needs better
CheckMates Go:
SharePoint CVEs and More!
Traffic from Brazil was blocked using fwaccel dos rules but seeing 443 traffic allowed by Implied rules. Below is the rule that was added in the gateway.
fwaccel dos rate add -action drop -log regular source cc:BR pkt-rate 0 service any
fwaccel does not block them though the rule blocks Brazil but the idea of the fwaccel rule was to override this implied rule for traffic from Brazil.
Can someone please assist ?
Did you try block using updatable object as a country?
Andy
Yes, earlier there was a DDOS attack and customer tried blocking the traffic from Brazil using country code "BR" but it did not work so he added manual rules to block the traffic.
Later, we suspected an issue with IpToCountry mapping and so updated the IpToCountry.csv file and then removed all the manual entries and it almost worked fine. But still observing some 443 traffic from Brazil accepted by Implied rules.
I believe fwaccel rule should block all the traffic coming from Brazil but it is still allowed by Implied rules.
Is there any suggestion ?
Appreciate your help !
One thing to check, though dont believe its recommended to modify the implied rules, would be to look at $FWDIR/lim/implied_rules.def file on mgmt server
Andy
May I ask what to check exactly in the file ?
Not sure at this point. I might be able to make logical guess if you send the implied rule log.
Andy
Can you double click on one of those logs for details?
https://support.checkpoint.com/results/sk/sk105740
I am aware of this sk but the idea of the fwaccel rule was to override this implied rule for traffic from Brazil. It should block all the traffic before hitting Implied rules I believe.
A rate limit of zero should prevent any data from passing, but I don't believe it will prevent the connection from being established.
You may want to confirm this with TAC.
If i remember correctly, with fwaccel dos rules, log about implied rules are shown like accept but traffic is dropped. I will post reference if i found it
Anyway, try traffic from brazil if you can and verify by CLI if traffic is accepted for real or if it is dropped
Thats true.
@mahesh Were you able to sort this out?
Andy
Leaderboard
Epsum factorial non deposit quid pro quo hic escorol.
User | Count |
---|---|
16 | |
11 | |
8 | |
7 | |
6 | |
6 | |
5 | |
4 | |
4 | |
3 |
Tue 07 Oct 2025 @ 10:00 AM (CEST)
Cloud Architect Series: AI-Powered API Security with CloudGuard WAFThu 09 Oct 2025 @ 10:00 AM (CEST)
CheckMates Live BeLux: Discover How to Stop Data Leaks in GenAI Tools: Live Demo You Can’t Miss!Thu 09 Oct 2025 @ 10:00 AM (CEST)
CheckMates Live BeLux: Discover How to Stop Data Leaks in GenAI Tools: Live Demo You Can’t Miss!Wed 22 Oct 2025 @ 11:00 AM (EDT)
Firewall Uptime, Reimagined: How AIOps Simplifies Operations and Prevents OutagesAbout CheckMates
Learn Check Point
Advanced Learning
YOU DESERVE THE BEST SECURITY