This website uses Cookies. Click Accept to agree to our website's cookie use as described in our Privacy Policy. Click Preferences to customize your cookie settings.
Accept
Reject
Preferences
ABOUT CHECKMATES CYBER SECURITY COMMUNITY & FAQ
Create a Post
Help
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

Are you a member of CheckMates?

×
Sign in with your Check Point UserCenter/PartnerMap account to access more great content and get a chance to win some Apple AirPods! If you don't have an account, create one now for free!
Michael_Horne
Advisor
‎2021-11-19 06:01 AM

Threat Prevention Policy - Protected Scope - Not working?

Hello All,

We have an issue with some traffic triggering an IPS Block for some traffic.

The FW Blade log:

ZRH1.png

This is triggering a IPS Blade Log:

ZRH2.png

We tried to bypass the Zscaler traffic from the IPS. We do this generally as Zscaler should in theory already be doing security checks.

ZRH3.png

This did not have any effect. We were still getting the same log messages.   As a test I implemented a Threat Protection rule which used "Destination" instead of "Protected Scope":

ZRH4.png

When we use this test rule, then the logs stop.  Why understanding was (and other articles on the Community back this up) that "Protected Scope" is for matching "Source or Destination", but in this case it does not seem to work.

Is there any other difference between "Protected Scope" and using "Source" and "Destination", that we should be aware of that might explain this behaviour?

Many thanks,

Michael

0 Kudos
11 Replies
PhoneBoy
Admin
Admin
‎2021-11-19 02:38 PM

Protected scope refers to things behind the gateway, whether it is used as a source or destination.
Zscaler is clearly not in the protected scope in this case.

0 Kudos
Tobias_Moritz
Advisor
‎2021-11-21 11:48 PM
In response to PhoneBoy

Phoneboy, with "things behind the gateway" you mean based on topology (defined in database), right?

So protected scope is only usable for things, which are reachable over an interface NOT defined as external from the affected gateway point of view, did I understand you right?

And when using source or destination field in TP policy instead of protected scope field, this limitation does not apply, right?

While this would be a good explanation for the effect Micheal showed us here, I'm really suprised it works this way.

0 Kudos
G_W_Albrecht
MVP Silver
MVP Silver
‎2021-11-22 12:45 AM
In response to Tobias_Moritz

Protected Scope contains objects that will be inspected when either connecting to or being connected from somewhere. This could contain Updateable Objects like O365 o.s.

CCSP - CCSE / CCTE / CTPS / CCME / CCSM Elite / SMB Specialist
0 Kudos
Michael_Horne
Advisor
‎2021-11-21 11:55 PM
In response to PhoneBoy

Hello,

This would definitely explain the behavior.  In the Threat Prevention Admin Guide I do not see this mentioned.  The closest to a  definition I can see is: "The list of network objects you want to protect."  Is the protected Scope then only relevant to interface topologies that are marked as "internal"?

Many thanks,

Michael

0 Kudos
G_W_Albrecht
MVP Silver
MVP Silver
‎2021-11-22 12:41 AM
In response to Michael_Horne

I find that this is explained very throughly in Threat Prevention R81.10 Administration Guide p.50ff Protected Scope ! Also see sk114806: ATRG: Threat Emulation (20) Performance considerations and Best practices and sk120933: How to configure the Protected Scope in Anti-Virus Settings for file downloads

CCSP - CCSE / CCTE / CTPS / CCME / CCSM Elite / SMB Specialist
0 Kudos
Michael_Horne
Advisor
‎2021-11-22 01:02 AM
In response to G_W_Albrecht

Hello,

This definition is quite good, but does not explicitly clarify the comment as to whether the Protected Scope can cover objects that are external to the local security gateway. The comments you made about the use of updatable objects references which is part of the definition would indicate that the protects scope could include external resources, as it is highly unlikely that there are updateable objects for internal resources, unless is a customer created one. Everything I have seen referenced implies that external resources can be used as the protected scope. Hence my original question.

0 Kudos
G_W_Albrecht
MVP Silver
MVP Silver
‎2021-11-22 01:15 AM
In response to Michael_Horne

I read as follows:

Protected Scope objects can be

Network objects, such as Security Gateways, clusters, servers, networks, IP ranges, and so on. From R80.10, dynamic objects and domain objects are also supported in the Threat Prevention Policy.

Network object groups

Updatable objects (from R80.40)

IP address ranges

Roles

Zones

So naturally you can use external objects if needed, but in everyday life i would just include all internal networks to protect my clients and servers that will be inspected when either connecting to or being connected from somewhere. Also see the mentioned Performance considerations and Best practices !

CCSP - CCSE / CCTE / CTPS / CCME / CCSM Elite / SMB Specialist
0 Kudos
Tobias_Moritz
Advisor
‎2021-11-22 01:26 AM
In response to G_W_Albrecht

Thank, Günther, for the detailed explanation and I agree to that suggestion, but how does this explain the different behavior observed by Micheal when putting the network group object in Protected Scope field versus putting it in Destination field?

0 Kudos
G_W_Albrecht
MVP Silver
MVP Silver
‎2021-11-22 04:41 AM
In response to Tobias_Moritz

I would suggest to ask TAC about this different behavior !

CCSP - CCSE / CCTE / CTPS / CCME / CCSM Elite / SMB Specialist
0 Kudos
Timothy_Hall
MVP Gold
MVP Gold
‎2021-11-20 10:29 AM

Similarly to Access Control, in the Threat Prevention policy the Protected Scope matching is performed pre-NAT.  So for an outbound connection that is presumably Hide NATted, the original inside IP must be specified there for a proper match.  For an inbound connection that is statically NATted, the outside Internet-routable IP address must be specified since that is the one present in the packet prior to any NAT operations.  This applies equally regardless of whether source or destination (or both) are being NATted by the firewall.

Gaia 4.18 (R82) Immersion Tips, Tricks, & Best Practices Video Course
Now Available at https://shadowpeak.com/gaia4-18-immersion-course
Pawel_Szetela
Contributor
‎2021-11-22 01:02 AM
In response to Timothy_Hall

Hi Timothy,

Can You clarify:

"... For an inbound connection that is statically NATted, the outside Internet-routable IP address must be specified since that is the one present in the packet prior to any NAT operations. This applies equally regardless of whether source or destination (or both) are being NATted by the firewall."

If we have object with automatic static NAT do we have to create another object with public IP and use it in policy? Is it relevant for Protected Scope or Source or Destination in Threat Prevention?

Reagrds,

0 Kudos

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

View All ≫
Upcoming Events

    CheckMates Events