Support Center > Search Results > SecureKnowledge Details
Implied rules are generated but not displayed in the Implied Rules view Technical Level
Symptoms
  • Implied rules are generated but not displayed in the Implied Rules view.
  • Connections may match implied rules that are not displayed in the Implied Rules view.
Cause

There are implied rules that are only generated when certain blades are enabled, and according to the specific blades' logic.

Not all of these implied rules are displayed in the current GUI view for Implied Rules.


Solution

To view the Implied Rules, do the following

On R77.30 and prior versions:

On R80.10 and higher:

Below is a list of implied rules that are never displayed in the Implied Rules view and their generation condition:

Notes:

  • All of the implied rules below are 'First' implied rules.
  • "Service" indicates service objects or IP protocol and port.
Name Source  Destination

Service 

Action  Generation condition 
accept_outgoing_connectra Gateway  Any Connectra outgoing services Accept

1. Mobile Access blade enabled

2. IP protocol and port defined in connectra_outgoing_services table

accept_tunnel_test_community Gateway  Any  tunnel_test Accept  VPN blade enabled
accept_tunnel_test_traditional Gateway  Any  tunnel_test  Accept  VPN blade enabled
 accept_l2tp

Gateway

Any

Any

Gateway

 L2TP  Accept

1. VPN blade enabled

2. Remote Access enabled

accept_fw_ica_services_port  Any Management

Gateway

 FW_ica_services  Accept  Enabled by default
 accept_fw1_seam  Smart Event clients  Smart Event servers  CP_seam  Accept  Enabled by default
 accept_uaa_communication  User Authority products  User Authority products  FW1_uaa  Accept  Legacy Authentication enabled
 accept_av_http  Internal  Gateway  TCP port 12873  Accept Anti-Virus blade enabled
 te_allow_internal_communication  Threat Emulation Gateways  Threat Emulation Gateways  TCP port 18194  Accept Threat Emulation blade enabled
 accept_fw1_cvp  Gateway  CVP server  CVP service port  Accept  Resource with CVP is defined
 accept_scv_status Remote Access Clients  Any  UDP port 18233  Accept

1. VPN blade enabled

2. Remote Access enabled

 enable_tcpt  Any  Gateway  Visitor mode port  Accept Visitor mode is enabled in VPN Blade
 enable_portal_http  Internal/All interfaces  Gateway

http

https

 Accept Multiportal enabled to be accessed not according to FW policy
 enable_portal_wins  Gateway  Any  nbname  Accept  Mobile Access blade enabled
 enable_portal_dns  Gateway  Any  domain-udp  Accept  Mobile Access blade enabled
 accept_app_mode_back_conn  native_app_servers  Any  Any  Accept

 1. Mobile Access blade enabled

2. SNX application mode is enabled

 accept_connectra_proxy_http  Any  http_proxy_ips  Any  Accept  1. Mobile Access blade enabled

 

2. http proxy is enabled:
IF (<Gateway-OBJECT>--> http_proxy_setting-->use_http_proxy==1)

 accept_connectra_proxy_https  Any  https_proxy_ips  Any  Accept  1. Mobile Access blade enabled 2. http proxy is enabled: IF (--> http_proxy_setting-->use_http_proxy==1)
 accept_dynamic_routing_sync  Cluster Members  Cluster Members  FIBMGR  Accept  ClusterXL Gateway
 accept_ica_ssl  GUI clients  Management   FW1_ica_mgmt_tools  Accept  Enabled by default
accept_swtp_sms  Any  Management  SWTP_SMS  Accept  Created when Sofaware device (edge) is configured via management
accept_swtp_gw  Management  Any  tcp, source port 9282, destination port 9281  Accept  Created when Sofaware device (edge) is configured via management
 drop_blocklist_traffic  Malicious IPs  Any  Any  Drop

1. IPS blade enabled

2. Malicious IPs protection enabled

 accept_vpn_ca_enrolment  Management  CA servers  CA servers ports  Accept  VPN blade enabled
 accept_av_signature_update  Gateway Management  Any

http

https

 Accept  Anti-Virus blade enabled
 accept_integrity_server_ports  Integrity servers  Gateway tcp port 5054  Accept  Endpoint security blade enabled
 accept_dlpgws_smtp_traffic_from_internal  Internal Mail server  Gateway tcp, destination port 25  Accept

1. Dedicated DLP Gateway

2. “Reply by” enabled from internal interface

 accept_dlpgws_usercheck_traffic_from_internal  Internal interface  Gateway tcp, destination port 18300  Accept 1. Dedicated DLP Gateway

2. "Reply by" enabled from internal interface

accept_dlpgws_smtp_traffic_from_any  Mail server  Gateway tcp, destination port 25  Accept

1. Dedicated DLP Gateway

2. “Reply by” enabled from internal interface

 accept_dlpgws_usercheck_traffic_from_any  Any  Gateway tcp, destination port 18300  Accept

1. Dedicated DLP Gateway

2. "Reply by" enabled from internal interface

 accept_dlpgws_exchange_agents_clear_traffic DLP Exchange agent  Gateway tcp destination port 18301 or 18181 or 18187  Accept

DLP Exchange Agent enable on this Gateway

 accept_dlpgws_exchange_agents_ica  DLP Exchange agent  Gateway tcp, destination port 18210  Accept  DLP Exchange Agent enable on this Gateway
 accept_dedicated_dlpgws_exchange_clear_traffic  DLP Exchange agent  Gateway tcp, destination port 18301 or 18181 or 18187  Accept 1. Dedicated DLP Gateway

2. DLP Exchange Agent enable on this GW

 accept_dedicated_dlpgws_smtp_traffic  Mail server  Gateway tcp, destination port 25  Accept

1.  DLP blade enabled

2. “Reply by” enabled

 accept_dlpgws_traffic  Any  Gateway

tcp, destination port 18300 or 443 or 80 or 4434 or 22

ICMP requests

 Accept  Dedicated DLP Gateway
accept_dlpgws_dedicated_traffic_ica  Any  Gateway  tcp, destination port 18210  Accept  Dedicated DLP Gateway
 drop_other_traffic_to_dlpgws  Any  Gateway  Any  Drop  Dedicated DLP Gateway
nac_implied_pep_services  PEP Gateways  Any  tcp destination port 15105  Accept  IDA enabled
 nac_implied_pdp_services  PDP Gateways  Any  tcp destination port 28581  Accept  IDA enabled
 nac_implied_captive_allow  Any  Portal IPs

http

https

 Accept

1. IDA enabled

2. Captive portal enabled

 nac_implied_radius_clients_services  Radius authorized clients  Gateway  UDP (radius accounting port)  Accept

1. IDA enabled

2. radius Accounting enabled

 client_auth_portal_allow  Internal  Gateway  Client authentication service  Accept  Client Authentication used
 accept_os_cluster_sync  Cluster Members  Cluster Members  TCP port 1129  Accept  ClusterXL Gateway
 nac_implied_clean_radius_clients_services  Any  Gateway  UDP (radius accounting port)  Accept

 1. IDA enabled

2. radius Accounting enabled

 accept_mail_connections_to_gw  Any  Gateway  smtp  Accept  MTA is enabled (under Gateway object – Mail Transfer Agent section)
 accept_remote_smartlog

 Log servers

Management

 Management

Log servers

 tcp port 8211  Accept By default 
This solution has been verified for the specific scenario, described by the combination of Product, Version and Symptoms. It may not work in other scenarios.

Give us Feedback
Please rate this document
[1=Worst,5=Best]
Comment