This website uses Cookies. Click Accept to agree to our website's cookie use as described in our Privacy Policy. Click Preferences to customize your cookie settings.
Accept
Reject
Preferences
ABOUT CHECKMATES CYBER SECURITY COMMUNITY & FAQ
Create a Post
Help
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

Are you a member of CheckMates?

×
Sign in with your Check Point UserCenter/PartnerMap account to access more great content and get a chance to win some Apple AirPods! If you don't have an account, create one now for free!
r1der
Advisor
‎2022-11-21 09:49 AM
Jump to solution

Required Rules for Gateway and SMS? Implied Rules Question.

Hey all, we have a Smart-1 appliance/2 SG 6000 appliances clustered.
Our system has been updated at least twice from older hardware with existing rules.

Looking over a few rules, I'd like to clean our rules up to what is necessary to unify sec/app layer.
Are there any articles for what is needed to for the management and security gateways on R81.10?

For example, I'm looking at deleting a rule 2 for our SMS/SGs (Source) -> Internal DNS Servers (Destination) / udp&tcp 53 ->Accept.
Logs for that rule look like this. Rule 0 under a different layer is saying its Implied. 
q.png

I've disabled Rule 2, but wondering now I'm wondering if I move to a unified layer and delete the Application layer will DNS stop working? If a log exists lists an rule 0 - Implied Rule, would that be safe to determine we do not need a rule (after verifying logs are not hitting any other rules of course).

Another log example. Would this be safe to determine to delete if it is implied?  I'm not seeing a difference between my Security/App layer Implied Rules. (I'm not sure if they're the same or not?)

z.pngp.png

If you have any Policy cleanup tips that would be great too. I have rules that are too permissive that I'd like to clean up to have our network more secure.

Thanks!!

 

 

0 Kudos
1 Solution

Accepted Solutions
PhoneBoy
Admin
Admin
‎2022-11-22 04:19 PM
Jump to solution

All of the Implied Rules should be shown here.
See also: https://supportcenter.checkpoint.com/supportcenter/portal?eventSubmit_doGoviewsolutiondetails=&solut... 

image.png

DNS has implied rules.
NTP is not covered under Implied Rules (at least the ones shown here).

However, if traffic were purely being accepted based on these implied rules, it would be accepted that way for both layers.
Which means...this "Implied Rule" is probably something different.
I'm assuming your Application layer only has App Control/URL Filtering active and not Firewall?
That might be the reason for the implied rule as DNS and NTP are handled in the Firewall, not App Control.

View solution in original post

10 Replies
the_rock
MVP Platinum
MVP Platinum
‎2022-11-21 11:21 AM
Jump to solution

Below post should be helpful:

https://community.checkpoint.com/t5/Cloud-Network-Security/Port-Requirement-Management-Server-and-Ga...

Now, you cant disable any implied rules from GUI (as you should NOT anyway), but you can modify based on below (if need be)

https://supportcenter.checkpoint.com/supportcenter/portal?eventSubmit_doGoviewsolutiondetails=&solut...

https://supportcenter.checkpoint.com/supportcenter/portal?eventSubmit_doGoviewsolutiondetails=&solut...

As far as rules cleanup, I would look for disabled/0 hits rules and take care of those.

 

Cheers,

 

Andy

Best,
Andy
r1der
Advisor
‎2022-11-21 04:05 PM
In response to the_rock
Jump to solution

Thanks Andy. That thread was helpful.

DO you know if there is Gateway & SMS -to-> External requirements like NTP/DNS/CheckPoint Updates KB?
Can't seem to find the article.

0 Kudos
the_rock
MVP Platinum
MVP Platinum
‎2022-11-21 04:17 PM
In response to r1der
Jump to solution

Not sure if below is what you need, but this is the only one I know of. Now, this is ONLY needed if you disable option in global properties as indicated. I personally never in 15 years dealing with CP met or talked to anyone who did this, but, in all fairness, with much better handling of updatable objects, I guess it might not be so unusual to see customers do it now days.

https://supportcenter.checkpoint.com/supportcenter/portal?eventSubmit_doGoviewsolutiondetails=&solut...

Best,
Andy
r1der
Advisor
‎2022-11-22 03:55 PM
In response to the_rock
Jump to solution

Thanks for this. I wonder if at one point we that did have unchecked, and whoever administrated the FW at the time created explicit rules for updates.

0 Kudos
the_rock
MVP Platinum
MVP Platinum
‎2022-11-22 04:16 PM
In response to r1der
Jump to solution

Most likely, you must have, because Im 99.99% sure the only time anyone would have explicit rules for updates in the policy would have been if that option in global properties was off.

Andy

Best,
Andy
_Val_
Admin
Admin
‎2022-11-21 11:44 PM
Jump to solution

Unless there is a serious security based argument, I would advise you to keep the default implied rules. 

r1der
Advisor
‎2022-11-22 03:53 PM
In response to _Val_
Jump to solution

Hi Val, 

I'm not interested in modifying the implied rules. I'm trying to understand them since we have rules created that seem like they are already covered under the Implied Rules. Duplicate rules?

Like if we have a rule for CheckPoint updates to 'x' destination. Is that necessary if I see logs below that rule that it is implied?

Hope I am explaining that right.

Thanks!

0 Kudos
PhoneBoy
Admin
Admin
‎2022-11-22 04:19 PM
Jump to solution

All of the Implied Rules should be shown here.
See also: https://supportcenter.checkpoint.com/supportcenter/portal?eventSubmit_doGoviewsolutiondetails=&solut... 

image.png

DNS has implied rules.
NTP is not covered under Implied Rules (at least the ones shown here).

However, if traffic were purely being accepted based on these implied rules, it would be accepted that way for both layers.
Which means...this "Implied Rule" is probably something different.
I'm assuming your Application layer only has App Control/URL Filtering active and not Firewall?
That might be the reason for the implied rule as DNS and NTP are handled in the Firewall, not App Control.

r1der
Advisor
‎2022-11-23 09:20 AM
In response to PhoneBoy
Jump to solution

Thanks PhoneBoy. I'll go over that article as well.

implied.PNGpolicy.PNG

 

You are correct! That makes sense to me, I THINK. 
--
I'm assuming it is required to have the Security layer enabled with Application & URL Filtering in order to achieve a unified policy?

PhoneBoy
Admin
Admin
‎2022-11-23 11:09 AM
In response to r1der
Jump to solution

In a Unified Policy, you'd have a single layer with the relevant blades enabled (Firewall and App Control in this case).

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

View All ≫
Upcoming Events

    Sort by:
    CheckMates Events