Create a Post
cancel
Showing results for 
Search instead for 
Did you mean: 
Highlighted
Ivory

The Best Strategy to **bleep** Rules

Hello, a CheckPoint firewall (virtual platform) was recently acquired by the organization, before it did not exist in the production network that you want to isolate, more than 400,000 rules to load were detected from the analyzes.
Given the number of rules.

what is the best strategy to populate the firewall with the rules?
Is there a way to learn the firewall so that it automatically loads the rule?
Can a massive load be done through a TXT or CVS?

After this massive load, tools will be used to create groups of rules and improve administration, but in this initial phase, given the ignorance of all the services that are trafficked, it is necessary to generate the pure rule: Origin - Destination - Port

0 Kudos
5 Replies
Highlighted
Admin
Admin

How did you come with that insane number of 400K rules, may I ask?

0 Kudos
Highlighted
Ivory

There are 5,000 production servers, then I made an on-the-fly calculation of 30-50 rules per server, then for the number of ports.
The exercise is abysmal and I just tried to describe the situation in a chaotic way, but the reality is similar.
You help me to find the best strategy to load a CheckPoint Firewall from scratch, assuming that nobody really knows what services or groups may exist.
In short, what is intended is:
1.- Somehow load the raw traffic, that is, without analysis, maintaining the ANY rule, so as not to affect the current services
2.- Once loaded, see the patterns that allow them to be grouped under concepts such as services or others
3.- After having an order that allows the administration of the firewall more conceptually, we proceed to monitor the ANY rule to add the GAP
4. Delete any rule, and may God have mercy on us;)

What do you think, what could be a better way to achieve loading so much rule. It will be better to script the creation of objects and then the creation of the rule, in order to reduce the times if only the graphical console is used.

I do not speak English, but I have tried to make myself understood with what you have

0 Kudos
Highlighted
Admin
Admin

Basically, you can group both servers and services within Check Point policy rules, there is not need to have multiple rules per server, this is not a Cisco access list 🙂

400K seems way too much. With R80.x management APIs, you can automate both object and rules creation, though. 

0 Kudos
Highlighted
Ivory

Thanks Val_Loukine for your answers, if it looks too much, maybe the strategy to implement is not the right one. The current problem is that the competent areas of the services do not give much information. So I said, why I do not carry everything that crosses, so I meet the deadline and then the competent areas must tell me what is going and what is not going.
I also thought, the Firewall would be smart enough and for each traffic there could be a way to load the rule alone (magic is a lot to ask Ja, Ja ja)

You have named an administration api, I think that could help a lot since the loading of rules will be a delight. Do you have an example or where can I investigate about it?

0 Kudos
Highlighted
Admin
Admin

0 Kudos