CPUG: The Check Point User Group

Resources for the Check Point Community, by the Check Point Community.

Tim Hall has done it again! He has just released the 2nd edition of "Max Power".
Rather than get into details here, I urge you to check out this announcement post.
It's a massive upgrade, and well worth checking out. -E


View Poll Results: Does rule permit access from source to

0. You may not vote on this poll

    0 0%

    0 0%
Results 1 to 3 of 3

Thread: "Group With Exclusion" in firewall rules

  1. #1
    Join Date
    Rep Power

    Question "Group With Exclusion" in firewall rules

    Hello y'all

    I am auditing a Check Point firewall rule base provided in HTML format, looking for rules which potentially provide excessive access to destination networks/systems. There are some rules which have a destination group called "All-But-Internal". On first reading this looked ok because it allowed the source to access the Internet without being able to access other internal network addresses. However on closer examination of the network object "All-But-Internal" which is a "Group with exclusion", and the IP, netmask and members fields are all blank:

    Name Type IP Netmask Products installed NAT Address Members
    All-But-Internal Group With Exclusion

    I do not have access to this Check Point or the administrator, and have to make a call on whether this rule is excessive.

    Should it be interpreted that this rule permits the source to access EVERYTHING, as no exclusions have been defined for the "All-But-Internal" group?


  2. #2
    Join Date
    Zurich, Switzerland
    Rep Power

    Default Re: "Group With Exclusion" in firewall rules

    A group with exclusion (let say Group-A) is built from 2 other groups, where group-A = Group-B minus Group-C.

  3. #3
    Join Date
    DFW, TX
    Rep Power

    Default Re: "Group With Exclusion" in firewall rules

    It looks to me like the tool used to export the data for you does not know how to handle groups with exclusions. Groups don't have an IP address or netmask, and they definitely don't have a "products installed" field. Instead, they reference two groups: "Objects in" and "except". They work exactly how those references imply.

    From the data you have provided here, there is no way to tell which groups are referenced by the group with exclusion.

Similar Threads

  1. VPN Firewall Rules
    By laf_c in forum IPsec VPN Blade (Virtual Private Networks)
    Replies: 5
    Last Post: 2014-11-01, 06:46
  2. dbedit and group with exclusion
    By daubenspeck in forum Scripts and Tools
    Replies: 0
    Last Post: 2013-07-26, 05:17
  3. Group with exclusion in QoS rules
    By moucka in forum QoS (Quality of Service) (Formerly FloodGate-1)
    Replies: 0
    Last Post: 2011-05-04, 04:37
  4. Encryption Domain with Exclusion Group
    By Izzio in forum IPsec VPN Blade (Virtual Private Networks)
    Replies: 6
    Last Post: 2009-03-12, 18:40
  5. Convert a simple group into group w/ exclusion ?
    By Mattes57 in forum SmartDashboard
    Replies: 3
    Last Post: 2008-11-04, 08:06

Tags for this Thread


Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts