This website uses Cookies. Click Accept to agree to our website's cookie use as described in our Privacy Policy. Click Preferences to customize your cookie settings.
Accept
Reject
Preferences
ABOUT CHECKMATES & FAQ
Create a Post
Help
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

Are you a member of CheckMates?

×
Sign in with your Check Point UserCenter/PartnerMap account to access more great content and get a chance to win some Apple AirPods! If you don't have an account, create one now for free!
Simon_Macpherso
Advisor
‎2023-05-22 10:06 PM
Jump to solution

Drop Control Connection Traffic From Malicious IPs

Hello,

We are observing malicious IPs hitting gateway public IPs on tcp/264.

TCP port 264 is FW1_topo - Check Point Security Gateway SecuRemote Topology Requests: Topology Download from Security Gateway (by FWD daemon) to SecuRemote (build 4100 and higher) and SecureClient.

According to sk17745 (Services allowed by "Accept Control Connections" option in "Global Properties"), it is is enabled from anywhere to all Security Management Servers and all Security Gateways.

https://support.checkpoint.com/results/sk/sk17745

We have an explicit drop rule blocking traffic from specific malicious IP intel data sources. However, as the traffic is classified as control connection traffic, the connection is being allowed by the implied rule.

Is there an inherent way by which we can explicitly (or implicitly) drop control connection traffic from a list of malicious source IPs?

Note that I want to automate this process. Though effective, SAM rules are a manual and not particularly scalable solution.  

Regards,
Simon

0 Kudos
1 Solution

Accepted Solutions
HristoGrigorov
Mentor
Mentor
‎2023-05-23 03:10 AM
Jump to solution

Why not use fwaccel dos rate ... ?

View solution in original post

0 Kudos
3 Replies
Ruan_Kotze
Advisor
‎2023-05-23 01:54 AM
Jump to solution

Hi Simon,

Not really, no.  Unless you disable implied rules and create rules in your access policy allowing control connections specifically.

A possible "hack" will be to use Geo Policy as that is applied just after anti-spoofing enforcement and before any "First" implied rules - but this is a feature that is actively being deprecated and you have to take steps to just make it visible in SmartConsole.  This also doesn't directly address your need to block from a list of malicious IPs.

Another option might be to do ACLs on the upstream router?  Either way, I feel your pain, I've had multiple similar scenarios where customers for example wanted to block or limit from where they accept VPN connections etc.

Regards,
Ruan

0 Kudos
HristoGrigorov
Mentor
Mentor
‎2023-05-23 03:10 AM
Jump to solution

Why not use fwaccel dos rate ... ?

0 Kudos
PhoneBoy
Admin
Admin
‎2023-05-23 12:18 PM
In response to HristoGrigorov
Jump to solution

The only way you can override this implied rule is via the fwaccel dos rate CLI command.
You can see an example here (though this is for Remote Access VPN): https://community.checkpoint.com/t5/Security-Gateways/Block-VPN-Traffic-by-Country/m-p/172695#M31396 

0 Kudos

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

View All ≫
Upcoming Events

    CheckMates Events