Hi all,
I have a rule in a production firewall setup as such:
src - 10.0.0.0/24 dst - not(172.16.1.0/24) ??? not(192.168.1.0/24)
My question is "???" supposed to be "and" or "or"?
The first clause of the dst would allow 10.0.0.0/24 to go anywhere except to 172.16.1.0, while the 2nd clause would allow it to go anywhere but 192.168.1.0. Would the dst have to satisfy both clauses (not(172.16.1.0/24) and not(192.168.1.10) == not(172.16.1.0/24 and 192.168.1.0/24), which is what I think the engineer wanted) or would match the first clause and allow the packet thru, even if it was bound for 192.168.1.0/24?
I know that on regular network objects it's first match. Assume I have a list of hosts for the dst (192.168.1.1, 192.168.1.2, 192.168.1.3, 192.168.1.4) and a packet comes in destine for 192.168.1.2 it would be allowed thru even though it did not match 192.168.1.1, 192.168.1.3, or 192.168.1.4; which suggests an "or" operation.
However in the same firewall a later rule with a dst of 192.168.1.0/24 to the same port does not alert when I do a validation, does not match the above rule first, suggesting an "and" operation (dst is not 172.16.1.0/24 but is 192.168.1.0/24 so not match both clauses (the "and" operation) and passed on to next rule).
Or is it handled some other way?
This rule seems to working ok so this is more for my own edification. Thanks in advance for your help.
Tom.
Results 1 to 3 of 3
-
2014-03-24 #1
Junior Member
- Join Date
- 2012-05-27
- Posts
- 4
- Rep Power
- 0
A questions about how destinations are interpreted with in a rule
-
2014-03-25 #2
Senior Member
- Join Date
- 2005-08-14
- Location
- Gig Harbor, WA, USA
- Posts
- 2,500
- Rep Power
- 20
Re: A questions about how destinations are interpreted with in a rule
If you are not using a negation for source/destination, it is interpreted as "or" (as in Source is X or Y)
If you are using a negation for source/destination, it is interpreted as "and" (as in Source is NOT X and NOT Y).http://phoneboy.org
Unless otherwise noted, views expressed are my own
-
2014-03-25 #3
Senior Member
- Join Date
- 2007-06-04
- Posts
- 3,314
- Rep Power
- 20
Re: A questions about how destinations are interpreted with in a rule
If you have a list of addresses in the Destination or Source sections then it is treated as an OR.
As such
Source = 10.0.0.0/24
Destination = negate cell 172.16.1.0/24, 192.168.1.0/24
This is interprested as
Source must be in the 10.0.0.0/24 network range
Destination is anything other then 172.16.1.0/24 OR 192.168.1.0/24
You have negated the cell so why when you have another rule that allows
Source = Any
Dest = 192.168.1.0/24
The first rule does not permit traffic to the 192.168.1.0/24
The second rule does permit traffic to the 192.168.1.0/24
Why are you surprised that the verification doesn't generate an error?
Reply With QuoteSimilar Threads
-
Checkpoint Top Talkers Script - Display top 50 Source/Destinations
By NetworkNubbin in forum Check Point Firewall Administrator's ToolkitReplies: 1Last Post: 2013-05-03, 13:26 -
Rule Destinations - to NAT address or Real address?
By EBrander in forum NAT (Network Address Translation)Replies: 5Last Post: 2011-07-04, 05:25 -
Latest Questions for CCSE NGX -(101 questions)
By Amit_U in forum CCSE NGX Exam 156-315.1 (No Longer Offered)Replies: 34Last Post: 2010-09-16, 11:11 -
Same subnet 2 differents Nats Destinations
By Demitri-Masters in forum NAT (Network Address Translation)Replies: 5Last Post: 2009-07-17, 11:52 -
Latest Questions -CCSE-NGX (101-questions for free)
By Amit_U in forum CCSE NGX Exam 156-315.1 (No Longer Offered)Replies: 5Last Post: 2006-12-18, 23:53
Bookmarks