This website uses Cookies. Click Accept to agree to our website's cookie use as described in our Privacy Policy. Click Preferences to customize your cookie settings.
Accept
Reject
Preferences
ABOUT CHECKMATES CYBER SECURITY COMMUNITY & FAQ
Create a Post
Help
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

Are you a member of CheckMates?

×
Sign in with your Check Point UserCenter/PartnerMap account to access more great content and get a chance to win some Apple AirPods! If you don't have an account, create one now for free!
Roy_Smith
Collaborator
‎2023-02-14 08:54 AM
Jump to solution

implied rules getting hit and dropping traffic

Hi

Started migrating vlans from an internal Cisco ASA to a new VSX cluster. I am now getting some intermittent reports of applications or servers not connecting as expected. When I look through the logs, I see lots of drops related to an implied rule. This is hit by different sources and destinations and different ports. 

After following sk110218, I am able to see the implied rule name, which is "Implied Rule - enforce_net_quota". The name of this rul seems to indicate I'm hitting some sort of limit but not sure what.

Can anyone tell me what enforce_net_quota refers to please?

Many Thanks
Roy

0 Kudos
2 Solutions

Accepted Solutions
Danny
MVP Platinum
MVP Platinum
‎2023-02-14 09:40 AM
Jump to solution

Try turning off Network Quota and verify if this helps.

View solution in original post

PhoneBoy
Admin
Admin
‎2023-02-14 02:01 PM
Jump to solution

This is definitely the Network Quota protection, which is inactive by default.
You can do one of two things:

  • Disable it by going to Security Policies > Inspection Settings and setting it to Inactive for the relevant profile
  • Create an exception for the relevant traffic in the protection

Changing this setting requires pushing the Access Policy (not Threat Prevention) since this is a Core Protection handled by the firewall (not IPS).

View solution in original post

8 Replies
Danny
MVP Platinum
MVP Platinum
‎2023-02-14 09:40 AM
Jump to solution

Try turning off Network Quota and verify if this helps.

the_rock
MVP Platinum
MVP Platinum
‎2023-02-14 10:45 AM
Jump to solution

Can you send screencap of it if possible? I checked sk you mentioned, but does not sadly seem too useful here. I also saw what @Danny suggested, but cant find that protection even in my R81.20 lab with updated IPS.

Searching CP support site, cant find much on it, so might be worth if you do zdebug to verify if you get exact same messages. We might be able to figure out from those drops if there is indeed actual IPS protection causing an issue.

Andy

Best,
Andy
0 Kudos
PhoneBoy
Admin
Admin
‎2023-02-14 02:01 PM
Jump to solution

This is definitely the Network Quota protection, which is inactive by default.
You can do one of two things:

  • Disable it by going to Security Policies > Inspection Settings and setting it to Inactive for the relevant profile
  • Create an exception for the relevant traffic in the protection

Changing this setting requires pushing the Access Policy (not Threat Prevention) since this is a Core Protection handled by the firewall (not IPS).

the_rock
MVP Platinum
MVP Platinum
‎2023-02-14 05:37 PM
In response to PhoneBoy
Jump to solution

Ah, inspection setting, thats why I could not find it...duh, silly me. Anyway, let us know @Roy_Smith if what phoneboy suggested works.

Best,
Andy
0 Kudos
Roy_Smith
Collaborator
‎2023-02-15 08:51 PM
In response to the_rock
Jump to solution

Guys

It was the Network Quota in Inspections Settings that was being referred to. I set it back to inactive and that solved the issue. 

Thanks for the help

0 Kudos
PointOfChecking
Collaborator
‎2025-09-29 03:23 AM
In response to PhoneBoy
Jump to solution

Hi PhoneBoy,

Any reason why the default for this setting is disabled? I've found it as enabled in my environment and was thinking it could be useful to fend off DoS attacks?

Thank you

0 Kudos
PhoneBoy
Admin
Admin
‎2025-09-29 05:17 PM
In response to PointOfChecking
Jump to solution

Network Quota has a performance impact of Critical, which is why it is disabled by default.
If you're looking to mitigate DoS attacks, you're far better off using fwaccel dos, which is SecureXL friendly.
See: https://support.checkpoint.com/results/sk/sk112454 

PointOfChecking
Collaborator
‎2025-10-06 08:06 AM
In response to PhoneBoy
Jump to solution

Will look into this. Thank you.

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

View All ≫
Upcoming Events

    CheckMates Events