More Strangeness !

[gfont96]

Hi All,

Looking through our logs for last night. I saw an https request from and external address to our module (splat hfa04) and I saw it was accepted on rule 0.

I have checked and I have only have accept smartupdate connections ticked and accept outgoing packets from gateway

I did a https://module_hostname from my PC and I saw it get accepted on rule 0 again !?

Nothing comes back (page not found). Any ideas where i should look

cheers,

George

[chillyjim]

This could be visitor mode and/or SNX as they both look like https going to the gateway.

[gfont96]

Hello chillyjim,

Thanks, we do use visitor mode.

the ip in question was in Singapore we don't have anyone there, so I guess it may have been part of a port/sweep scan or just random stuff.

Cheers,

George

[melipla]

Quote:

Originally Posted by chillyjim

This could be visitor mode and/or SNX as they both look like https going to the gateway.

What's SNX?

[northlandboy]

SSL Network Extender. Clientless VPN.

[melipla]

Ah thanks :)

Also, Check Point's Web UI defaults to port 443...

[chillyjim]

Quote:

Originally Posted by melipla

Ah thanks :)

Also, Check Point's Web UI defaults to port 443...

Access to that one isn't controlled by rule 0, that's why I didn't mention it.

[RayPesek]

Is HTTPS in the implied rules for NGX if Visitor Mode is active? It's not for R55. You have to set a rule in the security policy on R55.

Ray

[chillyjim]

I'm pretty sure it is. I'll have to check that nest time I'm in the lab

[RayPesek]

That would produce "interesting" results on a Nokia gateway that uses SSL for the Voyager interface if it's still on port 443, since it binds to all interfaces...

Ray

[gfont96]

Hello All,

The implied rules I can see are;

Mngmt Server --> SVN Foundation --> FW1_CPID --> Accept
LocalMachine --> ANY --> ANY --> Accept
DshieldIP Block List --> ANY --> ANY --> Drop

Cheers,

George

[northlandboy]

Quote:

Originally Posted by RayPesek

That would produce "interesting" results on a Nokia gateway that uses SSL for the Voyager interface if it's still on port 443, since it binds to all interfaces...

Ray

Yep, which is why they tell you to switch Voyager/SPLAT's webUI to something else.

[RayPesek]

I must have missed that note in the tiny little NGX Upgrade Guide. :-)

I would think a change in the implied rules to allow traffic that previously was not allowed would warrant a big, bold-faced note.


George, where are you seeing this one?

"LocalMachine --> ANY --> ANY --> Accept"

If LocalMachine means "enforcement module", it kind of kills the stealth rule.

Ray

[gfont96]

Hi Ray,

The LocalMachine and the Dshield implied rules are at the very bottom of the rule base.

The LocalMachine rule goes away if in global properties I uncheck 'accept outgoing packets originating from gateway'

If I uncheck it the dshield implied rule moves to the top as the second implied rule after the Management Server/SVN Foundation rule

my webgui port is not running on 443

Thanks mate,

George