CPUG: The Check Point User Group

Resources for the Check Point Community, by the Check Point Community.


Tim Hall has done it again! He has just released the 2nd edition of "Max Power".
Rather than get into details here, I urge you to check out this announcement post.
It's a massive upgrade, and well worth checking out. -E

 

Results 1 to 4 of 4

Thread: SAM rules exception

  1. 2017-06-20 #1
    Mariusz1
    Mariusz1 is offline Member
    Join Date
    2015-10-21
    Posts
    32
    Rep Power
    0

    Default SAM rules exception

    Hello,

    From time to time some legitimate hosts/networks falls into SAM :-(. Is it possible to enter SAM rules exception (the same idea as in IPS network exceptions)?

    Best regards
    Mariusz
    Reply With Quote Reply With Quote
  2. 2017-06-20 #2
    varera
    varera is offline Senior Member
    Join Date
    2006-03-08
    Location
    Lausanne
    Posts
    1,028
    Rep Power
    14

    Default Re: SAM rules exception

    It is better to not use SAM at all. However, you can create an indefinite SAM rule allowing traffic for your legitimate hosts. Main issue here, it sits before any other policy rule. I would avoid that by any mean if I were you
    -------------

    Valeri Loukine
    CCMA, CCSM, CCSI
    http://checkpoint-master-architect.blogspot.com/
    Reply With Quote Reply With Quote
  3. 2017-06-20 #3
    ShadowPeak.com
    ShadowPeak.com is offline Senior Member
    Join Date
    2009-04-30
    Location
    Colorado, USA
    Posts
    2,226
    Rep Power
    13

    Default Re: SAM rules exception

    Suspicious Activity Rules were originally intended to be used temporarily in an IDS intruder shunning situation and to be fast-acting (i.e. a policy install is not required to enforce them). There is no way to define an exception to these that I can see.

    If you ever want to play a joke on your arrogant colleague who claims to know everything about Check Point (and lets you know about it daily), add a SAM rule via SmartView Monitor for his workstation address source IP, set the Action to Drop, and Track to None. :-) Nothing short of a "fw ctl zdebug drop" can uncover why the heck he can't seem to pass any traffic through the firewall. And even the zdebug saying "SAM drop" or whatever may not mean anything to your colleague if he is not aware of the SAM mechanism...
    --
    Second Edition of my "Max Power" Firewall Book
    Now Available at http://www.maxpowerfirewalls.com
    Reply With Quote Reply With Quote
  4. 2017-06-20 #4
    PhoneBoy
    PhoneBoy is offline Senior Member
    Join Date
    2005-08-14
    Location
    Gig Harbor, WA, USA
    Posts
    2,484
    Rep Power
    16

    Default Re: SAM rules exception

    Who needs to use SmartView Monitor for this when you can use "fw sam" to do this?
    http://phoneboy.org
    Unless otherwise noted, views expressed are my own
    Reply With Quote Reply With Quote
« Previous Thread | Next Thread »

Similar Threads

  1. IPS Exception for particular domain.
    By m_1607 in forum IPS Blade (Formerly SmartDefense)
    Replies: 1
    Last Post: 2012-05-07, 06:52
  2. Mobile Access BLade (R75.10) - Downloaded-from-GW JavaRDP Exception
    By gahanpa in forum Mobile Access Blade (Formerly Connectra)
    Replies: 2
    Last Post: 2011-07-25, 08:29
  3. Unable to put exception or be granular
    By switzer in forum IPS Blade (Formerly SmartDefense)
    Replies: 2
    Last Post: 2010-09-21, 13:29
  4. Deleting old rules in complex policy (#300 rules) without log action ?
    By damien in forum Miscellaneous
    Replies: 2
    Last Post: 2006-03-17, 16:05
  5. NAT with exception
    By ganoderma in forum NAT (Network Address Translation)
    Replies: 1
    Last Post: 2006-03-06, 03:05

Bookmarks

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •  

Forum Rules