It became clear what happened when I logged in to the firewall via SSH and did the admin folder listing – there were Bash scripts like bruter.sh, uploader.sh and various files of large size with the names of the popular at that times movies. The SmartView Tracker logs showed lots of outbound SSH connections from the firewall to different IP addresses on the Internet. Few more checks excluded the possibility of a DOS attack and by all signs seemed like the huge traffic in outbound (upload) direction was initiated by the firewall itself. The situation didn’t get better even when the client disconnected his LAN completely. After few short checks it was clear the company line to the Internet was overloaded 100%. I got a call from a client complaining on excruciatingly slow internet connection for the whole company – slow load time for pages, mails are stuck in the queue, high pings. The real life case to illustrate the importance follows. The consequence of deleting such an object is that in places where it is used the system will automatically replace it with the object “Any”, which in most of the cases not what the admin wants. This warning message has a button named “Where used?”, which if pressed, will show all the places this object is part of.
My recommendation when getting such warning is NOT to delete the object, but to check all the Rules where it is being used, remove it with due diligence from them and only then to delete it. Not everyone unfortunately reads and follows them. Checkpoint allows admins to delete the object being used in Security Rules while warning about the consequences. It happens especially with sysadmins coming from the Windows world where warnings are frequently ignored and you just click through them. In my experience this one can be most dangerous (read below). Deletion of an object which is being used (cannot happen in R80 by design). The list relates to the firewall versions R55-R77.30 with the added remediation means of R80, thanks to Tomer Sole's remarks on CheckMates CheckPoint Community forum as I myself haven’t gathered enough experience with this version yet. Here is my ‘top’ list of the frequent errors which beginners (and not so much) do. Different versions, different topologies and technologies brought different issues with it, but what remains constant is the mistakes people do. In 10 years of my daily work with Checkpoint firewalls I have been to many troubleshooting sessions.
0 kommentar(er)
