This website uses Cookies. Click Accept to agree to our website's cookie use as described in our Privacy Policy. Click Preferences to customize your cookie settings.
Accept
Reject
Preferences
ABOUT CHECKMATES CYBER SECURITY COMMUNITY & FAQ
Create a Post
Help
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

Are you a member of CheckMates?

×
Sign in with your Check Point UserCenter/PartnerMap account to access more great content and get a chance to win some Apple AirPods! If you don't have an account, create one now for free!
Yatiraj_Panchal
Contributor
‎2020-07-15 11:37 AM
Jump to solution

What the problem, if getting two logs in Logs & Monitor

I'm getting one issue, I have blocked one IP address (Belong to Brasil) using SAM rule, but in GEO location Brasil allowed. When I checked logs in Logs & monitor, able to see two see 2 logs for every connection one for GEO location as permit and 2nd showing drop by SAM rule.

 

Thanks in a Advance!!

0 Kudos
2 Solutions

Accepted Solutions
HeikoAnkenbrand
MVP Platinum
MVP Platinum
‎2020-07-15 12:11 PM
Jump to solution

Hi @Yatiraj_Panchal,

This is a normal behavior starting with R80.x. Depending on the processing level, it may be that the connection is allowed and then blocked. Here is a picture of the policy processing.

Screenshot_20200715-212113_Edge.jpg

➜ CCSM Elite, CCME, CCTE ➜ www.checkpoint.tips

View solution in original post

Timothy_Hall
MVP Gold
MVP Gold
‎2020-07-20 07:06 AM
In response to PhoneBoy
Jump to solution

To further clarify what Phoneboy said, legacy Geo Policy/Protection is applied right after Antispoofing.  R80.20+ Geo Policy objects are enforced by Firewall.

Gaia 4.18 (R82) Immersion Tips, Tricks, & Best Practices Video Course
Now Available at https://shadowpeak.com/gaia4-18-immersion-course

View solution in original post

0 Kudos
6 Replies
HeikoAnkenbrand
MVP Platinum
MVP Platinum
‎2020-07-15 12:11 PM
Jump to solution

Hi @Yatiraj_Panchal,

This is a normal behavior starting with R80.x. Depending on the processing level, it may be that the connection is allowed and then blocked. Here is a picture of the policy processing.

Screenshot_20200715-212113_Edge.jpg

➜ CCSM Elite, CCME, CCTE ➜ www.checkpoint.tips
Yatiraj_Panchal
Contributor
‎2020-07-16 01:24 AM
In response to HeikoAnkenbrand
Jump to solution

Hi @HeikoAnkenbrand,

Actual problem is traffic hitting to internal server, that's I'm able not able to understand. what's the alternative to stop hitting on internal server. 

0 Kudos
HeikoAnkenbrand
MVP Platinum
MVP Platinum
‎2020-07-16 01:38 AM
In response to Yatiraj_Panchal
Jump to solution

I do not understand the problem 100%. What exactly do you want to do?

If you do not want to use SAM rules, you can still use "fwaccel dos" protection. 

The SecureXL penalty box is a mechanism that performs an early drop of packets arriving from suspected sources. This mechanism is supported starting in R75.40VS.

Why not sam policy rules?

The SAM policy rules consume some CPU resources on Security Gateway. I recommend to set an expiration that gives you time to investigate, but does not affect performance. The best practice is to keep only the SAM policy rules that you need. If you confirm that an activity is risky, edit the Security Policy, educate users, or otherwise handle the risk. Or better use SecureXL penalty box from a performance point of view.

The purpose of this feature is to allow the Security Gateway to cope better under high load, possibly caused by a DoS/DDoS attack. These commands „fwaccel dos“ and „fwaccel6 dos“  control the Rate Limiting for DoS mitigation techniques in SecureXL on the local security gateway or cluster member.

In R80.20, all "sim erdos" commands are no longer supported. They have been replaced with equivalent commands which can be found under "fwaccel dos". Penalty box is configured separately for IPv4 and IPv6. IPv4 configuration is performed using the "fwaccel dos" command. IPv6 configuration is performed using the "fwaccel6 dos" command.

 

➜ CCSM Elite, CCME, CCTE ➜ www.checkpoint.tips
0 Kudos
Jarvis_Lin
Collaborator
‎2020-07-16 09:39 PM
In response to HeikoAnkenbrand
Jump to solution

Hi  HeikoAnkenbrand,

May you share me where is GEO & MOB legacy policy locate in policy match?

Thanks

 

Regards,

Jarvis

0 Kudos
PhoneBoy
Admin
Admin
‎2020-07-19 01:37 PM
In response to Jarvis_Lin
Jump to solution

Legacy GEO policy hits before the firewall.
Mobile Access Legacy Policy doesn't really apply in this flow since everything terminates on a specific process on the gateway.

0 Kudos
Timothy_Hall
MVP Gold
MVP Gold
‎2020-07-20 07:06 AM
In response to PhoneBoy
Jump to solution

To further clarify what Phoneboy said, legacy Geo Policy/Protection is applied right after Antispoofing.  R80.20+ Geo Policy objects are enforced by Firewall.

Gaia 4.18 (R82) Immersion Tips, Tricks, & Best Practices Video Course
Now Available at https://shadowpeak.com/gaia4-18-immersion-course
0 Kudos

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

View All ≫
Upcoming Events

    CheckMates Events