https://community.checkpoint.com/t5/General-Topics/Criteria-in-the-security-rules/m-p/186532#M31159 <P>Yes we have different approaches to many things not least of which is our fundamental ethos.</P> <P>Zones can be defined as part of the interface topology in all current software releases of GAiA and subsequently referenced in the security policy rules src/dst but this wasn't always the case. They are often used in parent rules for layers.</P> <P>Refer also:</P> <P><A href="https://support.checkpoint.com/results/sk/sk128572" target="_blank" rel="noopener">https://support.checkpoint.com/results/sk/sk128572</A></P> <P><A href="https://sc1.checkpoint.com/documents/R81.20/WebAdminGuides/EN/CP_R81.20_SecurityManagement_AdminGuide/Content/Topics-SECMG/Security-Zones.htm" target="_blank" rel="noopener">https://sc1.checkpoint.com/documents/R81.20/WebAdminGuides/EN/CP_R81.20_SecurityManagement_AdminGuide/Content/Topics-SECMG/Security-Zones.htm</A></P> <P><A href="https://community.checkpoint.com/t5/General-Topics/White-Paper-Security-Zones/td-p/53415#M10641" target="_blank" rel="noopener">https://community.checkpoint.com/t5/General-Topics/White-Paper-Security-Zones/td-p/53415#M10641</A></P> Sun, 16 Jul 2023 03:56:32 GMT Chris_Atkinson 2023-07-16T03:56:32Z https://community.checkpoint.com/t5/General-Topics/Criteria-in-the-security-rules/m-p/186528#M31156 <P>Hello, world.</P> <P>This question, maybe it is very "silly", but I want to understand more about the operation of the Checkpoint Firewall.</P> <P>My doubt is based on the security rules that are created in the SmartConsole.</P> <P>For example, an administrator defines a security rule:</P> <P>&nbsp;</P> <P>Source: 192.168.50.64</P> <P>Destination: 172.17.20.30</P> <P>HTTP Service</P> <P>Action: Allow(Accept)</P> <P>&nbsp;</P> <P>In other manufacturers such as Fortinet, Palo Alto (to name a few brands), in their rules, they usually "call" either the interface or zone, where the traffic arrives and leaves, but in Checkpoint this is not usually common (at least in my experience, I mean, when working security policies based on zones).</P> <P>So, when an administrator defines a rule, as I put it above, like Checkpoint, he "identifies" the origin where the packet will enter and where it will be taken out????</P> <P>Is there a flow to understand this?</P> <P>I hope you can understand my doubt, and help to clarify it.</P> <P>Thank you.</P> <P>&nbsp;</P> <P>&nbsp;</P> Sat, 15 Jul 2023 23:23:11 GMT https://community.checkpoint.com/t5/General-Topics/Criteria-in-the-security-rules/m-p/186528#M31156 Matlu 2023-07-15T23:23:11Z https://community.checkpoint.com/t5/General-Topics/Criteria-in-the-security-rules/m-p/186532#M31159 <P>Yes we have different approaches to many things not least of which is our fundamental ethos.</P> <P>Zones can be defined as part of the interface topology in all current software releases of GAiA and subsequently referenced in the security policy rules src/dst but this wasn't always the case. They are often used in parent rules for layers.</P> <P>Refer also:</P> <P><A href="https://support.checkpoint.com/results/sk/sk128572" target="_blank" rel="noopener">https://support.checkpoint.com/results/sk/sk128572</A></P> <P><A href="https://sc1.checkpoint.com/documents/R81.20/WebAdminGuides/EN/CP_R81.20_SecurityManagement_AdminGuide/Content/Topics-SECMG/Security-Zones.htm" target="_blank" rel="noopener">https://sc1.checkpoint.com/documents/R81.20/WebAdminGuides/EN/CP_R81.20_SecurityManagement_AdminGuide/Content/Topics-SECMG/Security-Zones.htm</A></P> <P><A href="https://community.checkpoint.com/t5/General-Topics/White-Paper-Security-Zones/td-p/53415#M10641" target="_blank" rel="noopener">https://community.checkpoint.com/t5/General-Topics/White-Paper-Security-Zones/td-p/53415#M10641</A></P> Sun, 16 Jul 2023 03:56:32 GMT https://community.checkpoint.com/t5/General-Topics/Criteria-in-the-security-rules/m-p/186532#M31159 Chris_Atkinson 2023-07-16T03:56:32Z https://community.checkpoint.com/t5/General-Topics/Criteria-in-the-security-rules/m-p/186545#M31160 <P>Hey bro,</P> <P>I think what you defined specifically applies to PAN and Fortinet, for sure. They have an easy way to define zones, unlike CP. But, regardless of that, layers in CP starting R80 give you an amazing option for policy hardening, compared to R77 and before.</P> <P>Links&nbsp;<a href="https://community.checkpoint.com/t5/user/viewprofilepage/user-id/3630">@Chris_Atkinson</a>&nbsp;sent are good reference.</P> <P>Andy</P> Sun, 16 Jul 2023 23:36:32 GMT https://community.checkpoint.com/t5/General-Topics/Criteria-in-the-security-rules/m-p/186545#M31160 the_rock 2023-07-16T23:36:32Z https://community.checkpoint.com/t5/General-Topics/Criteria-in-the-security-rules/m-p/186546#M31161 <P>To add to my last response, I guess you could technically compare say if you have inline layer on CP with internal zone (tied to internal interface) to something like internal to WAN section on Fortigate firewall. Maybe not the best comparison, but somewhat similar. On FGT firewalls, once you create a rule from, just as an example, ssl vpn interface to say internal, that would represent what vpn clients can access when they connect in. That could, I guess, compare to say inline layer on CP firewall.</P> <P>Makes sense?</P> <P>Andy</P> Sun, 16 Jul 2023 23:41:22 GMT https://community.checkpoint.com/t5/General-Topics/Criteria-in-the-security-rules/m-p/186546#M31161 the_rock 2023-07-16T23:41:22Z