External Gateway 80/443 and Implied Rules

VikingsFan · ‎2024-08-07

We're building a new R81.20 Take 76 cluster and have moved to the newer way of geo blocking and using the access rules instead of using the old geo block module. What we've noticed is that countries we're wanting to block are getting to 80/443 due to implied rules. I've dug through the forums and have tried everything I can find and I'm still seeing implied rules allowing traffic to our gateway IPs. What am I missing? Here are the things I've tried/done so far:

1. Went into the Global Properties and unchecked Accept Control Connections.

2. Went into the SAML Portal cluster property and set to 'According to Firewall Policy'

3. Followed sk180808 which I found from this other post and felt like would be the winner but it didn't work. It doesn't say I have to restart gateways but when I grep IMPLIED_RULES_SET_BEFORE_LAST $MDS_FWDIR/conf/cpmEnvVars.conf I get the proper value returned. Post: https://community.checkpoint.com/t5/Security-Gateways/Implied-rule-0-for-external-gw-interface-IP/m-...

Thanks!

Chris_Atkinson · ‎2024-08-07

Did you also try the other SK referenced there in the same thread.

Which kernel parameters did you set where - mgmt vs gw?

How does the policy look, using any layers etc?

CCSM R77/R80/ELITE

VikingsFan · ‎2024-08-07

Which SK, SK105740 ? I did follow that one up to changing the GUI settings. I did not play with the fw_ignore_before_drop_rules mentioned near the bottom.

On SK180808 I ran the two commands on the Mgmt and installed policy afterwards.

$MDS_FWDIR/scripts/reload_env_vars.sh -e "IMPLIED_RULES_SET_BEFORE_LAST=1"
$MDS_FWDIR/scripts/override_server_setting.sh -e IMPLIED_RULES_SET_BEFORE_LAST 1

Policy is simple. Single Security layer and first rule is the country geo block.

So recommended to try the fw_ignore_before_drop_rules kernel change on the two gateways in the cluster? If that works, do I need to back out the change made in SK180808?

Lesley · ‎2024-08-07

What stuff / blades you have enabled? Think about VPN clients, site to site VPN, MAB IA maybe GAIA portal on this port?

-------
If you like this post please give a thumbs up(kudo)! 🙂

VikingsFan · ‎2024-08-07

We have all blades except Mobile Access and Content Awareness enabled under 'Access Control' and Everything under Advanced except QOS. I can try the fw_ignore_before_drop_rules but was waiting to see if Chris confirmed.

Lesley · ‎2024-08-07

Do not block 443 you will break vpn clients, see also https://support.checkpoint.com/results/sk/sk52421

-------
If you like this post please give a thumbs up(kudo)! 🙂

VikingsFan · ‎2024-08-07

Understood. I don't want to completely block 443. I'm attempting to Geo Block via the Access Policy but implied rules are letting in China/Russia to 80/443. I want to block them. I have an allow rule underneath allowing from everyone else.

Lesley · ‎2024-08-07

you also changed to policy in here? SmartConsole > Platform Portal > Accessibility > Edit.

-------
If you like this post please give a thumbs up(kudo)! 🙂

CheckPointerXL · ‎2024-08-07

Did you evaluate fwaccel dos rules? https://community.checkpoint.com/t5/Security-Gateways/Block-VPN-Traffic-by-Country/td-p/172695

As a possible workaround, dnat pubblic to fake ip by sourcing the country could be an option...not sure it's a working method

VikingsFan · ‎2024-08-08

Have not gone that route yet as I was hoping to be able to leverage Access Policy to control the traffic. According to that post, PhoneBoy made it sound like it's impossible to stop the implied rules from hitting but reading sk180808 it does sound like it's possible. Confused.

Lesley · ‎2024-08-08

100% sure you can do it, this is a log from one of my customers:

Time: 2024-08-08T13:56:36Z
Interface Direction: inbound

Service ID: https
Source: IP address
Source Port: 56002
Destination: Firewall IP
Destination Port: 443
IP Protocol: 6
Protocol: HTTPS
Action: Accept
Type: Connection
Policy Date: 2024-08-08T08:35:05Z
Blade: Firewall
Origin: FW
Service: TCP/443
Product Family: Access
Logid: 0
Access Rule Name: Name
Access Rule Number: 6
Description: https Traffic Accepted

Do this one i posted before:

you also changed to policy in here? SmartConsole > Platform Portal > Accessibility > Edit.

-------
If you like this post please give a thumbs up(kudo)! 🙂

VikingsFan · ‎2024-08-08

Hi Lesley,

If I go to Platform Portal, Accessibility is grayed out but does say 'According to Firewall Policy'. Maybe because we changed the Portal to a non-standard port (not 443)?

So update on this... I haven't made any change since setting the Portal, tweaking the Control setting under the blades and running the SK180808 script. I checked this morning and traffic from the geo-blocked countries began dropping around 11:30AM. I'm not sure why unless the settings take some time to go into effect? I'm going to keep an eye on it but for now, the geo block is working.

PabloBarrera · ‎2025-05-03

Did it finally worked or you moved to something else?

Are you a member of CheckMates?

External Gateway 80/443 and Implied Rules