topic Re: Required Rules for Gateway and SMS? Implied Rules Question. in General Topics

Required Rules for Gateway and SMS? Implied Rules Question.

r1der — Mon, 21 Nov 2022 18:24:15 GMT

Hey all, we have a Smart-1 appliance/2 SG 6000 appliances clustered.
Our system has been updated at least twice from older hardware with existing rules.

Looking over a few rules, I'd like to clean our rules up to what is necessary to unify sec/app layer.
Are there any articles for what is needed to for the management and security gateways on R81.10?

For example, I'm looking at deleting a rule 2 for our SMS/SGs (Source) -> Internal DNS Servers (Destination) / udp&tcp 53 ->Accept.
Logs for that rule look like this. Rule 0 under a different layer is saying its Implied.

I've disabled Rule 2, but wondering now I'm wondering if I move to a unified layer and delete the Application layer will DNS stop working? If a log exists lists an rule 0 - Implied Rule, would that be safe to determine we do not need a rule (after verifying logs are not hitting any other rules of course).

Another log example. Would this be safe to determine to delete if it is implied? I'm not seeing a difference between my Security/App layer Implied Rules. (I'm not sure if they're the same or not?)

If you have any Policy cleanup tips that would be great too. I have rules that are too permissive that I'd like to clean up to have our network more secure.

Thanks!!

Re: Required Rules for Gateway and SMS? Implied Rules Question.

the_rock — Mon, 21 Nov 2022 19:21:17 GMT

Below post should be helpful:

https://community.checkpoint.com/t5/Cloud-Network-Security/Port-Requirement-Management-Server-and-Gateways/td-p/87059

Now, you cant disable any implied rules from GUI (as you should NOT anyway), but you can modify based on below (if need be)

https://supportcenter.checkpoint.com/supportcenter/portal?eventSubmit_doGoviewsolutiondetails=&solutionid=sk43401

https://supportcenter.checkpoint.com/supportcenter/portal?eventSubmit_doGoviewsolutiondetails=&solutionid=sk92281&partition=Advanced&product=Quantum

As far as rules cleanup, I would look for disabled/0 hits rules and take care of those.

Cheers,

Andy

Re: Required Rules for Gateway and SMS? Implied Rules Question.

r1der — Tue, 22 Nov 2022 00:05:47 GMT

Thanks Andy. That thread was helpful.

DO you know if there is Gateway & SMS -to-> External requirements like NTP/DNS/CheckPoint Updates KB?
Can't seem to find the article.

Re: Required Rules for Gateway and SMS? Implied Rules Question.

the_rock — Tue, 22 Nov 2022 00:18:41 GMT

Not sure if below is what you need, but this is the only one I know of. Now, this is ONLY needed if you disable option in global properties as indicated. I personally never in 15 years dealing with CP met or talked to anyone who did this, but, in all fairness, with much better handling of updatable objects, I guess it might not be so unusual to see customers do it now days.

https://supportcenter.checkpoint.com/supportcenter/portal?eventSubmit_doGoviewsolutiondetails=&solutionid=sk106251&srcFavorites=favorites

Re: Required Rules for Gateway and SMS? Implied Rules Question.

_Val_ — Tue, 22 Nov 2022 07:44:50 GMT

Unless there is a serious security based argument, I would advise you to keep the default implied rules.

Re: Required Rules for Gateway and SMS? Implied Rules Question.

r1der — Tue, 22 Nov 2022 23:53:07 GMT

Hi Val,

I'm not interested in modifying the implied rules. I'm trying to understand them since we have rules created that seem like they are already covered under the Implied Rules. Duplicate rules?

Like if we have a rule for CheckPoint updates to 'x' destination. Is that necessary if I see logs below that rule that it is implied?

Hope I am explaining that right.

Thanks!

Re: Required Rules for Gateway and SMS? Implied Rules Question.

r1der — Tue, 22 Nov 2022 23:55:40 GMT

Thanks for this. I wonder if at one point we that did have unchecked, and whoever administrated the FW at the time created explicit rules for updates.

Re: Required Rules for Gateway and SMS? Implied Rules Question.

the_rock — Wed, 23 Nov 2022 00:16:31 GMT

Most likely, you must have, because Im 99.99% sure the only time anyone would have explicit rules for updates in the policy would have been if that option in global properties was off.

Andy

Re: Required Rules for Gateway and SMS? Implied Rules Question.

PhoneBoy — Wed, 23 Nov 2022 00:19:17 GMT

All of the Implied Rules should be shown here.
See also: https://supportcenter.checkpoint.com/supportcenter/portal?eventSubmit_doGoviewsolutiondetails=&solutionid=sk110218&partition=Advanced&product=Quantum

DNS has implied rules.
NTP is not covered under Implied Rules (at least the ones shown here).

However, if traffic were purely being accepted based on these implied rules, it would be accepted that way for both layers.
Which means...this "Implied Rule" is probably something different.
I'm assuming your Application layer only has App Control/URL Filtering active and not Firewall?
That might be the reason for the implied rule as DNS and NTP are handled in the Firewall, not App Control.

Re: Required Rules for Gateway and SMS? Implied Rules Question.

r1der — Wed, 23 Nov 2022 17:25:02 GMT

Thanks PhoneBoy. I'll go over that article as well.

You are correct! That makes sense to me, I THINK.
--
I'm assuming it is required to have the Security layer enabled with Application & URL Filtering in order to achieve a unified policy?

Re: Required Rules for Gateway and SMS? Implied Rules Question.

PhoneBoy — Wed, 23 Nov 2022 19:09:36 GMT

In a Unified Policy, you'd have a single layer with the relevant blades enabled (Firewall and App Control in this case).