This website uses Cookies. Click Accept to agree to our website's cookie use as described in our Privacy Policy. Click Preferences to customize your cookie settings.
Accept
Reject
Preferences
ABOUT CHECKMATES CYBER SECURITY COMMUNITY & FAQ
Create a Post
Help
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

Are you a member of CheckMates?

×
Sign in with your Check Point UserCenter/PartnerMap account to access more great content and get a chance to win some Apple AirPods! If you don't have an account, create one now for free!
mahesh
Explorer
‎2024-05-07 04:46 AM

Traffic from Brazil was blocked using fwaccel dos rules but seeing 443 traffic allowed by Implied ru

Traffic from Brazil was blocked using fwaccel dos rules but seeing 443 traffic allowed by Implied rules. Below is the rule that was added in the gateway.

fwaccel dos rate add -action drop -log regular source cc:BR pkt-rate 0 service any

fwaccel does not block them though the rule blocks Brazil but the idea of the fwaccel rule was to override this implied rule for traffic from Brazil.

Can someone please assist ?

0 Kudos
14 Replies
the_rock
MVP Gold
MVP Gold
‎2024-05-07 05:23 AM

Did you try block using updatable object as a country?

Andy

Best,
Andy
0 Kudos
G_W_Albrecht
MVP Silver
MVP Silver
‎2024-05-07 05:51 AM

fwaccel dos is meant for D0S attacks, not Geo IP - you can only blacklist IPs and block DoS attacks using a rate limit...

 

CCSP - CCSE / CCTE / CTPS / CCME / CCSM Elite / SMB Specialist
0 Kudos
mahesh
Explorer
‎2024-05-07 05:58 AM
In response to G_W_Albrecht

Yes, earlier there was a DDOS attack and customer tried blocking the traffic from Brazil using country code "BR" but it did not work so he added manual rules to block the traffic.

Later, we suspected an issue with IpToCountry mapping and so updated the IpToCountry.csv file and then removed all the manual entries and it almost worked fine. But still observing some 443 traffic from Brazil accepted by Implied rules.

I believe fwaccel rule should block all the traffic coming from Brazil but it is still allowed by Implied rules.

Is there any suggestion ?

Appreciate your help !

0 Kudos
the_rock
MVP Gold
MVP Gold
‎2024-05-07 06:06 AM
In response to mahesh

One thing to check, though dont believe its recommended to modify the implied rules, would be to look at $FWDIR/lim/implied_rules.def file on mgmt server

Andy

Best,
Andy
0 Kudos
mahesh
Explorer
‎2024-05-07 06:09 AM
In response to the_rock

May I ask what to check exactly in the file ?

the_rock
MVP Gold
MVP Gold
‎2024-05-07 06:10 AM
In response to mahesh

Not sure at this point. I might be able to make logical guess if you send the implied rule log.

Andy

Best,
Andy
0 Kudos
mahesh
Explorer
‎2024-05-07 06:28 AM
In response to the_rock

Below is the log screenshot of Smart console logs.

 

Preview file
203 KB
0 Kudos
the_rock
MVP Gold
MVP Gold
‎2024-05-07 06:30 AM
In response to mahesh

Can you double click on one of those logs for details?

Best,
Andy
0 Kudos
G_W_Albrecht
MVP Silver
MVP Silver
‎2024-05-07 06:31 AM
In response to mahesh

https://support.checkpoint.com/results/sk/sk105740

 

CCSP - CCSE / CCTE / CTPS / CCME / CCSM Elite / SMB Specialist
0 Kudos
mahesh
Explorer
‎2024-05-07 08:28 PM
In response to G_W_Albrecht

I am aware of this sk but the idea of the fwaccel rule was to override this implied rule for traffic from Brazil. It should block all the traffic before hitting Implied rules I believe.

0 Kudos
PhoneBoy
Admin
Admin
‎2024-05-07 03:55 PM

A rate limit of zero should prevent any data from passing, but I don't believe it will prevent the connection from being established.
You may want to confirm this with TAC.

0 Kudos
CheckPointerXL
Advisor
Advisor
‎2024-05-10 01:13 PM

If i remember correctly, with fwaccel dos rules, log about implied rules are shown like accept but traffic is dropped. I will post reference if i found it

 

Anyway, try traffic from brazil if you can and verify by CLI if traffic is accepted for real or if it is dropped

0 Kudos
the_rock
MVP Gold
MVP Gold
‎2024-05-10 01:53 PM
In response to CheckPointerXL

Thats true.

Best,
Andy
0 Kudos
the_rock
MVP Gold
MVP Gold
‎2024-05-11 05:50 AM

@mahesh Were you able to sort this out?

Andy

Best,
Andy
0 Kudos

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

View All ≫
Upcoming Events

    Sort by:
    CheckMates Events