This website uses Cookies. Click Accept to agree to our website's cookie use as described in our Privacy Policy. Click Preferences to customize your cookie settings.
Accept
Reject
Preferences
ABOUT CHECKMATES CYBER SECURITY COMMUNITY & FAQ
Create a Post
Help
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

Are you a member of CheckMates?

×
Sign in with your Check Point UserCenter/PartnerMap account to access more great content and get a chance to win some Apple AirPods! If you don't have an account, create one now for free!
RemoteUser
Advisor
Monday
Jump to solution

Question about optimizing policies

Hi Mates,
What is the best way to optimize security policies, especially in a datacenter environment? (Large policy-package)
Are there any best practices that should be followed?
If I have a rule with “Any” as the protocol, what is the best way to analyze and optimize it?
Are there any tools integrated with Check Point that can help?

Thanks 

0 Kudos
3 Solutions

Accepted Solutions
Vincent_Bacher
MVP Silver
MVP Silver
Monday
Jump to solution

Some thoughts knowing that in huge policy packages it could be extremely hard work:

General / Structure

  • Move most-used rules (high hit count) to the top
  • Place specific rules before general ones
  • Broad rules (Any / large networks) towards the bottom
  • Use clear sections / inline layers for readability

 

Analysis & Maintenance

  • Zero-hit rules:
    • verify (shadowed vs. obsolete)
    • remove or disable
  • Merge duplicate or overlapping rules
  • Maintain comments (rule purpose / business context)

Performance & Logging

  • High-hit allow rules: consider Track = None if logging not absolutely necessary 
  • Log selectively, not everywhere

 

Tips to get rid of “Any” rules

  • Temporarily enable logging on the Any rule
  • Analyze in SmartLog / SmartEvent:
    • which ports
    • which applications
  • Split the rule:
    • explicit services (e.g. TCP 443, 22)
    • or Application Control instead of ports
  • Use Policy Optimizer for automatic suggestions (Tufin, AlgoSec or similar)
  • Monitor after changes, then remove the Any rule

 

and now to something completely different - CCVS, CCAS, CCTE, CCCS, CCSM elite

View solution in original post

PhoneBoy
Admin
Admin
Monday
Jump to solution

We have something called Policy Insights that can help with this.
It is a paid feature available in our AI Management bundles (appropriate SKUs are here https://www.checkpoint.com/resources/items/solution-brief-ai-powered-security-management-for-the-hyp... ).

View solution in original post

the_rock
MVP Diamond
MVP Diamond
Monday
Jump to solution

Personally bro, but this is just me, I always create inline layers where needed and use ordered layers as well. Make sure to disable any unused rules (or delete them if 100% sure no hits). Hope my post below helps.

https://community.checkpoint.com/t5/General-Topics/Lab-setup-video/m-p/268062

Happy to show you all this in smart console as well, though video explains it pretty well (I would say). I also attached simple word doc about it as well.

Best,
Andy

View solution in original post

lab-policy.docx
0 Kudos
3 Replies
Vincent_Bacher
MVP Silver
MVP Silver
Monday
Jump to solution

Some thoughts knowing that in huge policy packages it could be extremely hard work:

General / Structure

  • Move most-used rules (high hit count) to the top
  • Place specific rules before general ones
  • Broad rules (Any / large networks) towards the bottom
  • Use clear sections / inline layers for readability

 

Analysis & Maintenance

  • Zero-hit rules:
    • verify (shadowed vs. obsolete)
    • remove or disable
  • Merge duplicate or overlapping rules
  • Maintain comments (rule purpose / business context)

Performance & Logging

  • High-hit allow rules: consider Track = None if logging not absolutely necessary 
  • Log selectively, not everywhere

 

Tips to get rid of “Any” rules

  • Temporarily enable logging on the Any rule
  • Analyze in SmartLog / SmartEvent:
    • which ports
    • which applications
  • Split the rule:
    • explicit services (e.g. TCP 443, 22)
    • or Application Control instead of ports
  • Use Policy Optimizer for automatic suggestions (Tufin, AlgoSec or similar)
  • Monitor after changes, then remove the Any rule

 

and now to something completely different - CCVS, CCAS, CCTE, CCCS, CCSM elite
PhoneBoy
Admin
Admin
Monday
Jump to solution

We have something called Policy Insights that can help with this.
It is a paid feature available in our AI Management bundles (appropriate SKUs are here https://www.checkpoint.com/resources/items/solution-brief-ai-powered-security-management-for-the-hyp... ).

the_rock
MVP Diamond
MVP Diamond
Monday
Jump to solution

Personally bro, but this is just me, I always create inline layers where needed and use ordered layers as well. Make sure to disable any unused rules (or delete them if 100% sure no hits). Hope my post below helps.

https://community.checkpoint.com/t5/General-Topics/Lab-setup-video/m-p/268062

Happy to show you all this in smart console as well, though video explains it pretty well (I would say). I also attached simple word doc about it as well.

Best,
Andy
lab-policy.docx
0 Kudos

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

View All ≫
Upcoming Events

    CheckMates Events