This website uses Cookies. Click Accept to agree to our website's cookie use as described in our Privacy Policy. Click Preferences to customize your cookie settings.
Accept
Reject
Preferences
ABOUT CHECKMATES CYBER SECURITY COMMUNITY & FAQ
Create a Post
Help
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

Are you a member of CheckMates?

×
Sign in with your Check Point UserCenter/PartnerMap account to access more great content and get a chance to win some Apple AirPods! If you don't have an account, create one now for free!
Netadmin2020
Collaborator
‎2021-03-25 03:41 AM

Implied Rule 0

Hello!

Gateway version 80.40 (Model 15600)

implied 0.PNG

implied 0a.PNG

Can you please explain why this is passing with this implied rule? I observe similar behavior in a log that someone attack with ssh from outside to inside.

thank you 

0 Kudos
20 Replies
_Val_
Admin
Admin
‎2021-03-25 03:46 AM

One of your cluster member is connecting to Akamai based Check Point update servers. Absolutely normal.

Screenshot 2021-03-25 at 11.43.41.png

0 Kudos
Netadmin2020
Collaborator
‎2021-03-25 03:54 AM
In response to _Val_

look at this too.

ok1.PNG

ok2.PNG

0 Kudos
_Val_
Admin
Admin
‎2021-03-25 03:56 AM
In response to Netadmin2020

What exactly you do expect me to see here? Please phrase your question in a way it can be understood.

0 Kudos
Netadmin2020
Collaborator
‎2021-03-25 03:58 AM
In response to _Val_

Sorry. I am allowing ssh anywhere so how it is passed (as you can see in the log)?

0 Kudos
_Val_
Admin
Admin
‎2021-03-25 04:05 AM
In response to Netadmin2020

I can see the rule is matched on Network policy and Application control policy. Apparently you have two layers or more. You allow SSH anywhere, it passes, what is the question? What are you trying to figure our, actually?

0 Kudos
Netadmin2020
Collaborator
‎2021-03-25 04:06 AM
In response to _Val_

I am not allowing ssh, i have 2 ordered layers network and application.

0 Kudos
_Val_
Admin
Admin
‎2021-03-25 04:17 AM
In response to Netadmin2020

Check your policy once more. There are rules matching. What is looking fishy is that your Implicit Cleanup rule says "Accept". 

Screenshot 2021-03-25 at 12.10.08.png

You must configured Implicit action to be accept for Network, which is super bad. Change it to drop.

Screenshot 2021-03-25 at 12.15.59.png

Also make sure you read and understand you admin manual and sk112249


G_W_Albrecht
Legend Legend
Legend
‎2021-03-25 03:55 AM

I can see an accepted connection from Internal to External on  Sync Interface that was accepted by Network Layer Rule 29. Second, Application layer implied rule is listed - what is wrong with that ?

CCSP - CCSE / CCTE / CTPS / CCME / CCSM Elite / SMB Specialist
0 Kudos
Netadmin2020
Collaborator
‎2021-03-25 04:00 AM
In response to G_W_Albrecht

On the application layer why is this automatically accepted? where is this rule 0 and how can i change this?

0 Kudos
_Val_
Admin
Admin
‎2021-03-25 04:01 AM
In response to Netadmin2020

You do not want disallowing FWs to open outgoing connections. Lots of thinks will break.

0 Kudos
Netadmin2020
Collaborator
‎2021-03-25 04:13 AM
In response to _Val_

My question here is how ssh passed with the rule implicied clean up at network layer? i have no rule that allows ssh and at the end of my rules i have the block all enabled.

0 Kudos
_Val_
Admin
Admin
‎2021-03-25 04:24 AM
In response to Netadmin2020

Already answered above. You have implied clean rule set to accept. That should not happen. Basically, you are wide open for any traffic which is not matched to your explicit rules.

0 Kudos
Netadmin2020
Collaborator
‎2021-03-25 04:40 AM
In response to _Val_

Where this rule located ? The implicit cleanup rule 0

0 Kudos
_Val_
Admin
Admin
‎2021-03-25 05:20 AM
In response to Netadmin2020

See the screenshot above. Click on Layer/Advanced

0 Kudos
Netadmin2020
Collaborator
‎2021-03-25 05:23 AM
In response to _Val_

thank you very much, so the scenario everything is denied except allowance rule, in application and network layer the implicit cleanup rule must be at deny.

Right?

0 Kudos
_Val_
Admin
Admin
‎2021-03-25 07:53 AM
In response to Netadmin2020

Yes. Never ever change implied action on Network layer.

It is okay to have it Allow for Application Control though, because otherwise all non-categorized traffic will be dropped.

0 Kudos
Netadmin2020
Collaborator
‎2021-03-25 08:14 AM
In response to _Val_

My last network rule is any any block all. So you mean that this implied cleanup that we are taking about it accepts before the last rule ?

0 Kudos
_Val_
Admin
Admin
‎2021-03-25 08:26 AM
In response to Netadmin2020

Block or drop?

Netadmin2020
Collaborator
‎2021-03-25 08:40 AM
In response to _Val_

drop all

0 Kudos
_Val_
Admin
Admin
‎2021-03-25 08:48 AM
In response to Netadmin2020

This is very odd. It seems it does not match those SHH connections you are trying to drop. In any case, change implicit action to Drop as soon as possible, and then check again

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

View All ≫
Upcoming Events

    Sort by:
    CheckMates Events