Traffic Originating on Checkpoint Firewall Invisible

To my horror, I discovered that Checkpoint Firewall-1 does not apply any rules involving the Firewall itself unless you have the Properties dialog set to Outbound or Eitherbound. In an Inbound installation, you could have viruses and trojans galore on your firewall, and none of that traffic would show up in your log, and none of your firewall rules pertaining to the Firewall-1 object would be applied. That's scary.

Aside from the fact that rules are getting applied twice, is there a reason to avoid the Eitherbound setting?

Reply to
Will
Loading thread data ...

Ummm...

to my horror, I noticed that you don't know what you are doing!

Look up "implied rules"

regards datacide

Reply to
datacide

Why is it that every response you have in this newsgroup is just a cheap shot with pseudo-information? If you can't invest in giving complete answers, don't answer. No one needs to hear your opinions about how much they do or do not know. It doesn't progress anyone's knowledge of anything.

Reply to
Will

No but it does make those people seem big and clever, or at least they think it does.

Reply to
Memnoch

The surprising thing was that the rulesets you describe were NOT executing when Firewall-1 was configured for inbound filtering. I'm guessing that the reason is the traffic originating on the firewall never comes *in* to any interface. That traffic is outbound only, and in an "inbound" configuration you never screen the outbound traffic.

What you describe is precisely why I found the behavior I discovered so objectionable. Explicit rules in the ruleset were simply being ignored.

We were configured Eitherbound and I was simply experimenting to see if I could improve performance.

Reply to
Will

Assuming you're not talking about Access Control Lists on an OSE device, just how old of a Firewall-1 installation do you have? FW-1 NG defaults to eitherbound and cannot be changed. Eitherbound has a performance hit obviously.

If you need to do inbound for performance reasons on your old installation and you're worried about your firewall becoming infected and sending stuff outbound, write some rules with the firewall in the Source field and set the Install On to SRC. Then the services in that rule will be inspected (and logged if you so choose).

Reply to
Jason Kau

Hello again,

the whole point was to look up implied rules.

Policy -> Global properties -> Firewall 1 implied rules

These are rules that are active, but not actively shown in the rulebase. For example to allow the management server to manage an enforcement module etc.

There is specifically one, "accept outgoing packets originating from the firewall" which means that traffic is allowed..... you guessed it... from the firewall.

Instead of bitching about my reply one of you could have looked up implied rules.

Time spent venting your anger about people not helping could be used to learn. I gave all the hint anyone needed.

The statement about not having a clue was due to the wording of the inital posting:

To my horror, I discovered that Checkpoint Firewall-1 does not apply any rules involving the Firewall itself unless you have the Properties dialog set to Outbound or Eitherbound.

It is an absurd statement, and one based on the fact that the user does not know the product. The statement was a statement of fact, not a question etc. It is ridiculous to assume that a corporate high end firewall would not do that.

Reply to
datacide

Cabling-Design.com Forums website is not affiliated with any of the manufacturers or service providers discussed here. All logos and trade names are the property of their respective owners.