All articlesNewsBlogEventsVideosGuides and Datasheets
Date published: 2021-10-12

Synapsa Firewall Auditor - Checkpoint documentation

Chapters

1 Source or Destination address

1.1 Synapsa rules

Looking for Value Description
exact.ip 192.168.1.50 Looking for exact IP in the address field (*)
exact.net 192.168.1.0/24 Looking for exact Network in the address field (*)
within.net 192.168.1.0/24 Looking for any IP or subnet within the net (*)
any-ip-address --- Matching if SRC/DST is any IP address, any networks, but not "any"
any --- Matching if SRC/DST is keyword "any"
anything --- Always matching

1.2 Matching examples

Looking for Example 1 Example 2
exact.ip 192.168.1.50 192.168.1.50, 10.12.50.2
exact.net 192.168.1.0/24 192.168.1.0/24, 10.12.50.2
within.net 192.168.1.20 192.168.1.64/26, 10.1.1.12
any-ip-address 10.12.50.12, 172.16.20.20 10.12.50.0/27, 172.16.20.20
any any ---
anything * *

1.3 Not matching

Looking for Example 1 Example 2
exact.ip 192.168.1.20 10.10.2.30
exact.net 192.168.1.2/24 10.10.2.30
within.net 192.168.2.50 10.15.2.30
any-ip-address any ---
any 10.12.50.0/27, 172.16.2.20 10.0.0.0/8
anything --- ---

2 Service

2.1 Synapsa rules

Looking for Value Description
tcp.port 443 Matching exactly TCP / 443 (*)
tcp.range 500-600 Matching exactly TCP range 500-600 including (*)
tcp.port-range_geq 100 Matching when TCP port range is greater or equals 100
udp.port 53 Matching exactly UDP port 53 (*)
udp.range 4500-6500 Matching UDP range 4500-6000 including (*)
udp.port-range_geq 100 Matching when UDP port range is greater or equals 100
port 5060 Matching TCP or UDP port 5060 (*)
port-range 5000-6500 Matching TCP or UDP range 5000-6000 including (*)
port-range_geq 100 Matching when TCP or UDP port range is greater or equals 100
any-services --- Matching any configured service, but not word "any"
any --- Only matching "any"
anything --- Always matching

2.2 Matching examples

Looking for Example 1 Example 2
tcp.port tcp/443 tcp/443, udp/500
tcp.range tcp/500-600 tcp/500-600, udp/500
tcp.port-range_geq tcp/500 tcp/300
udp.port udp/53 tcp/500-600, udp/53
udp.range udp/4500-6500 udp/4500-6500, udp/53
udp.port-range_geq udp/700 udp/20
port tcp/5060, tcp/5070 udp/5060, tcp/21
port-range udp/5000-6500 udp/5000-6500, tcp/700-960
port-range_geq tcp/100-200 udp/100-200
any-services tcp/123, tcp/443, udp/100-200 tcp/123, tcp/443
any any ---
anything * *

2.3 Not matching

Looking for Example 1 Example 2
tcp.port tcp/400-500 tcp/22,udp/500
tcp.range tcp/501-600, udp/500 tcp/501-600
tcp.port-range_geq tcp/50-100 udp/100-1500
udp.port udp/500 any
udp.range udp/4500-6499 udp/4500-6499, tcp/21
udp.port-range_geq tcp/20-120 udp/40-90
port tcp/21 tcp/5070
port-range udp/5002-5010 udp/5001-6500
port-range_geq tcp/400-450 tcp/400-450
any-services any ---
any tcp/123, udp/100-200 tcp/443
anything --- ---

3 Action

3.1 Synapsa rules

Looking for Value Description
Allow --- Matching Allow
Drop --- Matching Drop
Any --- Always matching
Reject --- Matching Reject
User auth --- Matching User auth
Client auth --- Matching Client auth

3.2 Matching examples

Looking for Example 1 Example 2
Allow Allow ---
Drop Drop ---
Any Allow Drop
Reject Reject ---
User auth User auth ---
Client auth Client auth ---

3.3 Not matching

Looking for Example 1 Example 2
Allow Drop Client auth
Drop Allow Reject
Any --- ---
Reject Allow Drop
User auth Drop Reject
Client auth Reject Allow

4 VPN

4.1 Synapsa rules

Looking for Value Description
Vpn.specific S2S_Branch Matching specified string
Vpn.all-connection Any Always matching
Vpn.all-site-to-site --- Always VPN Site-to-Site values

4.2 Matching examples

Looking for Example 1 Example 2
Vpn.specific VPN_Paris VPN_Boston
Vpn.all-connection --- ---
Vpn.all-site-to-site S2S_Branch S2S_Tokyo

4.3 Not matching

Looking for Example 1 Example 2
Vpn.specific --- ---
Vpn.all-connection --- ---
Vpn.all-site-to-site VPN_Paris VPN_Boston

5 Notes

(*) Condition will match, if one of the objects in the specified field is matching the criteria.