This website uses Cookies. Click Accept to agree to our website's cookie use as described in our Privacy Policy. Click Preferences to customize your cookie settings.
Accept
Reject
Preferences
ABOUT CHECKMATES CYBER SECURITY COMMUNITY & FAQ
Create a Post
Help
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

Are you a member of CheckMates?

×
Sign in with your Check Point UserCenter/PartnerMap account to access more great content and get a chance to win some Apple AirPods! If you don't have an account, create one now for free!
Matlu
MVP Silver
MVP Silver
‎2024-01-04 03:55 PM

Firewall does not block traffic.

Hello,

I have a Cluster R81.10 which has only the following blades enabled

[Expert@SG:0]# enabled_blades
fw av ips anti_bot mon

Client does not want to enable URLF+APPC blades.
Customer does not want to modify the Cluster object behaviour (Currently AntiBot & Anti-Virus are set to "Detect Only")

J4.png
J3.pngJ2.png
J5.png

The only viable option I see to block LAN traffic to the cilkonlay.com domain is to use a per FQDN rule.
The rule has been created, but the GW does not "obey" the rule.

Traffic is still allowed. It is relevant to mention that we are now testing access to the URL from remote user connections (RA VPN).

Does anyone know why traffic is not blocked with the custom FQDN rule?

Regards.

0 Kudos
9 Replies
the_rock
MVP Diamond
MVP Diamond
‎2024-01-04 06:48 PM

Can you send screenshot of the rule?

Best,
Andy
"Have a great day and if its not, change it"
0 Kudos
Matlu
MVP Silver
MVP Silver
‎2024-01-04 07:58 PM
In response to the_rock

Hey,

This is the TP rule you have defined.

J6.png

And this is the rule we have created in the Firewall layer, so that it works with FQDN.

J3.png
We are trying to block traffic to the domain "cilkonlay.com", but the Firewall is ignoring our Firewall rule using FQDN

We are testing with a simple PING from our remote VPN user connections, but we are unable to block traffic to that destination.

J7.png

Cheers 🙂


0 Kudos
the_rock
MVP Diamond
MVP Diamond
‎2024-01-04 08:09 PM
In response to Matlu

Bro, we been through this many times lol. You need to check according to policy setting in gateway object for TP policy to be applied. Also, security rule has to have fqdn object as a destination.

Andy

Best,
Andy
"Have a great day and if its not, change it"
0 Kudos
Chris_Atkinson
MVP Platinum CHKP MVP Platinum CHKP
MVP Platinum CHKP
‎2024-01-04 08:53 PM
In response to Matlu

What do you see on the matched rules tab?

Is the RA VPN configured for hub mode?

 

CCSM R77/R80/ELITE
0 Kudos
Matlu
MVP Silver
MVP Silver
‎2024-01-05 07:40 AM
In response to Chris_Atkinson

Hello,

By "Hub Mode" do you mean the following option?

H1.png


What do you mean by this option "matched rules tab"?

Could you tell me where you see that, please?

Cheers. 🙂

0 Kudos
the_rock
MVP Diamond
MVP Diamond
‎2024-01-05 07:42 AM
In response to Matlu

I think Chris was referring to log entry, which would have matched rules tab.

Andy

Best,
Andy
"Have a great day and if its not, change it"
0 Kudos
Chris_Atkinson
MVP Platinum CHKP MVP Platinum CHKP
MVP Platinum CHKP
‎2024-01-05 04:08 PM
In response to the_rock

Correct, since technically all we see is the DNS traffic in the logs above and without hub mode forcing internet traffic via the VPN the Firewall will not be able to block other traffic unless it is in the encryption domain.

 

CCSM R77/R80/ELITE
0 Kudos
PhoneBoy
Admin
Admin
‎2024-01-05 12:58 PM
In response to Matlu

Unless "Route All Traffic to Gateway" (i.e. Hub Mode) is enabled, you cannot prevent a Remote Access client from connecting to an externally hosted site.
This is the kind of thing Harmony Endpoint or Quantum SASE should be able to do.

0 Kudos
the_rock
MVP Diamond
MVP Diamond
‎2024-01-07 04:44 PM
In response to Matlu

As @PhoneBoy said, if that option route all gtraffic to gateway is not enabled, then its not really feasable to prevent client to get to external site, since they would technically be using their own ISP for that sort of traffic.

Makes sense?

Best,

Andy

Best,
Andy
"Have a great day and if its not, change it"
0 Kudos

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

View All ≫
Upcoming Events

    CheckMates Events