Create a Post
cancel
Showing results for 
Search instead for 
Did you mean: 
MR_K
Participant

Global Management and Stealth Rule

Hi Checkpoint community,
We were wondering if there is a way to create the Management Access and Stealthrule rules on a global Layer.

Our use-case:
We are using a R80.30 MDS to manage our (mostly R80.20) firewalls, using Global Layer and Domain Layer for Rules. So our rulebase consists of Global Rules then Domain Rules then again Global Rules (inlcuding the Cleanup-Rule).

We split our quite big corporate network into different zones (using VLANs and IP-Ranges to seperate them).
Hosts within the same zone can communicate via Any Port with each other, hosts in different zones can only communicate by a predefined set of allowed directions and Ports.

Due to amount of connections covered by this rulebase, these rules are the ones with the most hits by far. Therefore we would like to have these rules at the beginning of each rulebase => on the Global Layer above the Domain layer.
Since the Firewalls are the Gateways for all DMZ-networks and necessarily have IP addresses in these ranges, this rulebase would allow every host of a zone to reach every Gateway IP-Address ( = Firewall) of the same zone.
As DMZ networks do not count as secure networks, this is a security risk we do not want to face.
Currently we solved this problem by having the Management- and Stealth rule on top of each Domain Layer rulebase and the zone-rulebase in the Global Layer below the Domain Layer. Of course his is not ideal for performance.

My question therefore is:
Is it possible, to create a global Management and Stealth Rule above this zone-ruleset?
For example by using some object/trick to
- tell the gateways that theyself are the destination
- use the Policy Installation Target as destination in these rules
Or by any other possible way?

BR Marcus

2 Replies
PhoneBoy
Admin
Admin

Yes using the Dynamic Object called LocalMachine_All_Interfaces.
Dynamic Objects resolve on the local gateway and are updated using the dynamic_objects command on the CLI.
This one in particular is a special one that refers to every interface IP on the local gateway.
Note in pre-R80.10 gateways, Dynamic Objects disable SecureXL templates, which could have a negative performance impact.
0 Kudos
Maarten_Sjouw
Champion
Champion

There is another way, you can use dynamic global objects. These are defined in the global domain and their name needs to end in _global
Before you can create them you need to create a simple group object with the exact same name, you fill this group in each domain with the networks you want to use on the rules that have that specific global object.
Now you can create the dynamic global objects in the Global domain and use them in the global rules.

As an MSP we have many different customers but we still need to be able to use our stepstone servers to get to their gateways, so we create a dynamic global object that is used to be filled per domain with the gateways of the customer.

Regards, Maarten
0 Kudos