https://community.checkpoint.com/t5/General-Topics/Stealth-Rule/m-p/13311#M2227 <HTML><HEAD></HEAD><BODY><P>Correct, typically prior to the Stealth Rule you'll have rules such as:</P><P></P><P>1) Admin. Access - SSH/HTTPS/4434 to the firewall from trusted internal hosts/subnets</P><P>2) Ping/Traceroute - Can internal hosts ping the firewall itself, and will the firewall hop show up in traceroute path or "star out"</P><P>3) SNMP Monitoring traffic from an NMS to the firewall itself</P><P>4) dhcp-request/dhcp-reply/DHCP relay services if needed</P><P>5) Allow for Dynamic Routing Protocols &amp; VRRP if firewall is configured for those</P><P></P><P>There are some other corner cases (Legacy Client Auth, old versions of SecuRemote and such), but generally these are the only rules you should have in front of the Stealth rule.</P><P></P><P>--<BR /> My book "Max Power: Check Point Firewall Performance Optimization" <BR /> now available via <A href="http://maxpowerfirewalls.com" target="_blank">http://maxpowerfirewalls.com</A>.</P></BODY></HTML> Thu, 23 Nov 2017 14:36:08 GMT Timothy_Hall 2017-11-23T14:36:08Z https://community.checkpoint.com/t5/General-Topics/Stealth-Rule/m-p/13310#M2226 <HTML><HEAD></HEAD><BODY><P>Checkmates,</P><P></P><P>May be this question is bit stupid, But i want to know if stealth rule implemented like this we don't have access to firewalls (like ssh) right ?</P><P><IMG class="image-1 jive-image" src="https://community.checkpoint.com/legacyfs/online/checkpoint/61057_pastedImage_1.png" style="width: auto; height: auto;" /></P><P>BR</P></BODY></HTML> Thu, 23 Nov 2017 06:45:05 GMT https://community.checkpoint.com/t5/General-Topics/Stealth-Rule/m-p/13310#M2226 Prashan_Attanay 2017-11-23T06:45:05Z https://community.checkpoint.com/t5/General-Topics/Stealth-Rule/m-p/13311#M2227 <HTML><HEAD></HEAD><BODY><P>Correct, typically prior to the Stealth Rule you'll have rules such as:</P><P></P><P>1) Admin. Access - SSH/HTTPS/4434 to the firewall from trusted internal hosts/subnets</P><P>2) Ping/Traceroute - Can internal hosts ping the firewall itself, and will the firewall hop show up in traceroute path or "star out"</P><P>3) SNMP Monitoring traffic from an NMS to the firewall itself</P><P>4) dhcp-request/dhcp-reply/DHCP relay services if needed</P><P>5) Allow for Dynamic Routing Protocols &amp; VRRP if firewall is configured for those</P><P></P><P>There are some other corner cases (Legacy Client Auth, old versions of SecuRemote and such), but generally these are the only rules you should have in front of the Stealth rule.</P><P></P><P>--<BR /> My book "Max Power: Check Point Firewall Performance Optimization" <BR /> now available via <A href="http://maxpowerfirewalls.com" target="_blank">http://maxpowerfirewalls.com</A>.</P></BODY></HTML> Thu, 23 Nov 2017 14:36:08 GMT https://community.checkpoint.com/t5/General-Topics/Stealth-Rule/m-p/13311#M2227 Timothy_Hall 2017-11-23T14:36:08Z