This is always how I've done it, as well!

Hi Tomer Sole

I just found this thread when searching for information about the All_Internet object.

What you are asking about is the App control object 'Internet', yes? I like it and would like to be able to use it for the access control policy instead of using the negate option like I am currently doing. Luckily this seems to be the least bad option from the list in the OP. Reading the answers here it seems many others would like to have the Internet object available for access control as well.

Nice Information. I think This applies to R80 only as lower than R80 version don't have zone concept.

This is good feature in R80

Also available in SMB appliances running R77.20.XX.

Security Zones are definitely helpful, and their use does not appear to impact SecureXL acceleration, templating, or the new Column-based/Early Drop rule matching based on my research so far.

--
My book "Max Power: Check Point Firewall Performance Optimization"
now available via http://maxpowerfirewalls.com.

Unfortunately Check Point seems to have issues with Security Zones in R80.x.

Danny,

Is it really an issue if all you have to do is create a single rule with "External Zone" object and label it in a separate section "Do not delete, will cause policy installation failures!"?

Security zones cannot be used in NAT rules, so when you wan't to do a HIDE nat for all internet traffic, it is useless. 

I found an interesting bug(?) with this.  When setting the zone "According to topology" in topology settings, policy validation fails with "Rule X has security zone objects that are not attached to any interface used in (gateway) : (zone).".  Performing a "where used" on the zone object does not show the relevant gateway until I manually define the zone.  For example, I selected "According to topology" which set my external interface to "ExternalZone".  Validation failed until I manually forced it to "ExternalZone", and gateway didn't show up as "used" by the zone until then either.  I am on R80.20 with JHFA Take 118.

I'm backing off of using Zones in my Policies for now.  I am using the method with all of my networks in a group and then negating the cell.  It works, but I feel it can be error prone in a larger environment.  Topologies have to be correct for our various VPN's, so tagging a zone to this seems like it would scale better.  I'll check back on this later when NAT is also supported like others seem to be doing.

According to Marc Lampo this is not working since R80.20 anymore.

To be precise : one cannot enter a route for 2000::/3, anymore.

I now have 32 routes, each a /8.  (2000::/8, 2100::/8, 2200::/8, ... 3F00::/8)

Thanks R80.20 ;-(

At first glance this was my favorit way of defining Internet. But, when comparing adding 6 address ranges to a group vs. negating RFC1918 networks in a group the latter feels like the better choice from a performance perspective.

Considerations:

• 3 networks is less than 6 address ranges. But which one has the smaller performance impact?
• Does negating have any impact on performance?
• You cannot negate a src/dst cell in NAT rules.
• Negating doesn't feel as natural as allowing.

I'm currently sticking with the negated RFC1918. But if using address ranges can be proved not causing a large performance impact I'll consider using it just because it looks cleaner and is usable in NAT rules.

/ Ilmo

Hmm... "ANY" should be avoided whenever possible.

Please see this comment by Timothy Hall‌:

https://community.checkpoint.com/message/18334-re-securexl-is-enabled-but-the-traffic-is-not-acceler... 

In most all cases, I agree the use of ANY is prohibited.  In these "Internet" cases, I'll agree if you can show me the value of replacing ANY with a negated or excluded internal networks object.  Or replacing ANY with all applicable IP ranges that represent the Internet.  In most common topologies that have a dedicated "Internet" firewall, you would never see your internal networks as an Internet source or destination.  You can mask ANY with some of these methods, and it can be debated that you've provided additional security by explicitly defining the Internet as a whole, but the effective outcome is still ANY.  To me, the danger is in providing a false sense of security to those that don't fully understand this concept. 

Personally, I accept ANY in these instances (related to Internet only), and ensure that there's a documented process to manage and mitigate the associated risk with using ANY.  This includes, but isn't limited to, periodic reviews for continued use of ANY, requirements for additional security measures when using ANY, and management understanding and approval to use ANY.

If it would only affected security aspects of access control, I'd agree with you. The problem with "Any" is the impact on performance of the gateways, as per post referenced earlier as well as inclusion of RFC 1918 ranges in it.

I have seen too many environments with Anti-Spoofing disabled to be comfortable with it.

My personal preference is to use "All Internet" object available with URLF and Application Control blades or the "External" zone object.

If you do use "Any" extensively, I'd check the SecureXL status on the gateways to see how the acceleration is being affected. Your environment may very well perform nominally, if hardware specks are way higher than could've been otherwise.

On other firewall brands I have used in the past, using "Any" was not affecting the performance. I know "Any" sounds bad, but there are things one want to be accessible from any IP, for example a web public server located in DMZ, behind the firewall. You want all the Internet IPs and private internal IPs to reach that Web server.

Another example is cloud services that cannot be properly handled by a DNS rule, due to the fact that the IPs change all the time and when the firewall checks, the IP is already different.

Even the Stealth and Cleanup rule has "Any" in it. As bad as it sounds "Any" might be a necessary evil.

For performance reasons I try to avoid "Any" and I was able to replace it with Internet_IPv4 when I have no choice like inbound traffic to a public web server.

If you are concerned about cleaning up as many *ANY* rules as possible, you could have a group containing all your private address space (or all RFC-1918 LANS) and negate that group for rules granting inbound access from the Public Internet. 

As mentioned earlier in this thread, from a functional perspective using "Any" in your policies works fine.  However avoiding "Any" helps optimize the new Column-based matching function which is described here:

Unified Policy Column-based Rule Matching 

This feature causes much more efficient matching of policy rules in the PXL/F2F paths.  It is not part of SecureXL and using various SecureXL commands like "fwaccel stat" will not show the potential impact of using "Any" in your policies.  As mentioned in my book the "throwing out" of rules by Column-based matching that cannot possibly match the connection happens for the Destination column first, so trying to avoid use of "Any" in that one column can be the most beneficial, because if almost all rules can be "thrown out" during the first pass through the Destination column there are very few rules left when going through the Source and Service columns.  Once all non-matching rules have been thrown out, a traditional "top-down, first-fit" evaluation of the surviving rules commences.

There do not appear to be any commands that allow you to measure how efficiently Column-based matching is operating on the firewall, other than a full-blown kernel debug of the policy evaluation.

--
Second Edition of my "Max Power" Firewall Book
Now Available at http://www.maxpowerfirewalls.com

Thanks for the reminder about column-based matching!

The only caveat is that it has to be an R80.X environment and I cannot deduce that it is from Shannon's posts.

Cheers,

Vladimir