05-14-2010 03:32 AM
this default Global Deny is not an explict rule you can see but a behaviour of the system. If traffic does not match a rule on the policy list then the traffic is denied.
You do not need to have that rule on the list.
05-14-2010 05:43 AM
Thanks. The action are done like following:
1. default global deny any policy will be shown in GUI are deleted at initial config;
2. config a policy which is permit all in the zones between untrust , trust and DMZ, etc;
3 need to reactivate the deny all policy in that firewall
by checking the forum should the command line " set global den a a a log" will be effecitve as initial deny all policy?
Thanks for any feedback
05-15-2010 05:01 AM
I'm afraid I'm not fully understanding the request.
I've attached a factory default configuration from an SSG5 firewall.
As you can see there is only one pre-defined policy in this configuration. The policy that allows internet access from trust to Untrust on the device.
The default deny policy is not an explicitly defined policy but the actual behaviour of the device. Any request that does not match a policy rule that is defined will be denied.
There is no need to create a final deny policy rule. This is just how the device will handle it anyway.
05-17-2010 12:58 AM
This is really the default behaviour of the ScreenOS device. It is not like a hidden policy on Checkpoint.
I suppose that you want to log all dropped requests not corresponding to any explicit policy. You can use global policies for this, f.i.:
set policy global id xxx Any Any ANY deny
set policy id xxx
set log session-init
As you see, the global policy does not contain the src-zone nor the dst-zone. It is applied to the request after all corresponding zone-to zone policies have been checked but with no hits. If you start debugging with "debug flow basic" you'll see, that the global policy is the last one that is checked.
05-18-2010 05:40 PM - edited 05-18-2010 05:57 PM
Edouard is correct on using the global policy to create a logged deny at the end of the policy chain.. To follow up on his correct answer is to remember that by default a "get policy" is not going to display the global policies. You will need to use either a "get policy all" or "get policy global" to display the global policy..
Defined intrazone and interzone policies are checked if no match is found then the global policy is checked. If the global policy is not matched then the default deny is applied for interzone traffic. If its intrazone traffic the zone is checked for intrazone blocking. If blocking is turned on, the packet is dropped. If blocking is not turned on the packet is allowed.