CPUG: The Check Point User Group

Resources for the Check Point Community, by the Check Point Community.


CPUG Challenge 2018?? We will be holding another CPUG Challenge for 2018.
The plan is to time it around CPX again (earlier this year), but not necessarily limit it to those in attendance.
I'll provide more details as we get a bit closer, but be ready! -E

 

View Poll Results: Does rule permit access from source to

Voters
0. You may not vote on this poll
  • EVERYTHING

    0 0%
  • NOTHING

    0 0%
Results 1 to 3 of 3

Thread: "Group With Exclusion" in firewall rules

  1. #1
    Join Date
    2017-11-13
    Posts
    1
    Rep Power
    0

    Question "Group With Exclusion" in firewall rules

    Hello y'all

    I am auditing a Check Point firewall rule base provided in HTML format, looking for rules which potentially provide excessive access to destination networks/systems. There are some rules which have a destination group called "All-But-Internal". On first reading this looked ok because it allowed the source to access the Internet without being able to access other internal network addresses. However on closer examination of the network object "All-But-Internal" which is a "Group with exclusion", and the IP, netmask and members fields are all blank:

    Name Type IP Netmask Products installed NAT Address Members
    All-But-Internal Group With Exclusion

    I do not have access to this Check Point or the administrator, and have to make a call on whether this rule is excessive.

    Should it be interpreted that this rule permits the source to access EVERYTHING, as no exclusions have been defined for the "All-But-Internal" group?

    Thanks.

  2. #2
    Join Date
    2012-07-10
    Location
    Zurich, Switzerland
    Posts
    224
    Rep Power
    6

    Default Re: "Group With Exclusion" in firewall rules

    A group with exclusion (let say Group-A) is built from 2 other groups, where group-A = Group-B minus Group-C.

  3. #3
    Join Date
    2007-03-30
    Location
    DFW, TX
    Posts
    106
    Rep Power
    11

    Default Re: "Group With Exclusion" in firewall rules

    It looks to me like the tool used to export the data for you does not know how to handle groups with exclusions. Groups don't have an IP address or netmask, and they definitely don't have a "products installed" field. Instead, they reference two groups: "Objects in" and "except". They work exactly how those references imply.

    From the data you have provided here, there is no way to tell which groups are referenced by the group with exclusion.
    Zimmie

Similar Threads

  1. VPN Firewall Rules
    By laf_c in forum IPsec VPN Blade (Virtual Private Networks)
    Replies: 5
    Last Post: 2014-11-01, 06:46
  2. dbedit and group with exclusion
    By daubenspeck in forum Scripts and Tools
    Replies: 0
    Last Post: 2013-07-26, 05:17
  3. Group with exclusion in QoS rules
    By moucka in forum QoS (Quality of Service) (Formerly FloodGate-1)
    Replies: 0
    Last Post: 2011-05-04, 04:37
  4. Encryption Domain with Exclusion Group
    By Izzio in forum IPsec VPN Blade (Virtual Private Networks)
    Replies: 6
    Last Post: 2009-03-12, 18:40
  5. Convert a simple group into group w/ exclusion ?
    By Mattes57 in forum SmartDashboard
    Replies: 3
    Last Post: 2008-11-04, 08:06

Tags for this Thread

Bookmarks

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •