Check Point Firewall Administration R81.10+ by Vladimir Yakovlev

Check Point Firewall Administration R81.10+ by Vladimir Yakovlev

Author:Vladimir Yakovlev
Language: eng
Format: epub
Publisher: Packt Publishing Limited
Published: 2022-08-05T00:00:00+00:00


Best practices for Access Control rules

Now, with what we have learned in the previous section, let's combine Check Point's own best practices for Access Control rules as printed in their user guide, with a few additional suggestions:

When a new policy is created, a single explicit cleanup rule is automatically included. Change its Track settings to Log.

On top of the policy, create a rule allowing https and ssh_version_2 access to the gateways and cluster members from the IPs of your Check Point administrators' PCs. This rule, together with the next, the stealth rule, will limit the exposure of your gateways if Gaia's System Management | Host Access | Allowed Hosts contains default settings allowing connectivity from any IP address.

The second rule from the top should be created, named the stealth rule, and configured to deny direct access to the gateways from Any source.

Create section titles above these three rules describing their purpose.

Create additional session titles describing the structure of your policy, so that the rest of the rules will be created under the corresponding sections.

Create Firewall/Network rules to explicitly accept safe traffic. If inline layers are used, add an explicit cleanup rule to drop everything else for each such layer.

Create an ordered layer relying on content inspection after the Firewall/Network ordered layer. Alternatively, put rules that examine Access Roles, applications, Data Type, or Mobile Access in an inline layer as part of the Firewall/Network rules. In the parent rule of the inline layer, define the source and destination only.

Share ordered layers and inline layers when practical.

If your environment contains gateways with version R77.X, use a two ordered layers structure with Firewall/Network in the first, and APCL/URLF in the second. The policy applied to R77.X cannot contain a Mobile Access blade or Content Awareness.

In layers relying on content inspection, place rules with objects defined in the Content field closer to the bottom. Rules using File Types objects should be higher than those containing data types.



Download



Copyright Disclaimer:
This site does not store any files on its server. We only index and link to content provided by other sites. Please contact the content providers to delete copyright contents if any and email us, we'll remove relevant links or contents immediately.