Create a Post
cancel
Showing results for 
Search instead for 
Did you mean: 
Highlighted
Advisor

global implied management rules

I was thinking about something that I just assumed was correct but I think its worth asking. 

Say I have

MDS1 - 192.168.1.10

CMA1 192.168.1.11

CMA2 192.168.1.12

FW_CMA1 - (a firewall) 192.168.1.1 (is the only route out for anything on 192.168.1.0/24

FW_CMA2 - (a firewall) 10.1.1.1 ( live outside the 192.168.1.0/24 network and must route through FW_CMA1 in order to reach 192.168.1.0/24.

 

MDS is directly connected to a checkpoint firewall FW_CMA1.

FW_CMA1 is managed out of CMA1.

Deeper in the network we have a checkpoint managed out of CMA2 called FW_CMA2.

My understand is because the implied rules for CMA access aren't global I'll have to write a rule to allow FW_CMA2 to communicate through FW_CMA1 in order to reach CMA2 correct? 

Is that the best way to do that or is there some magic beans I don't know about that will allow implied rules to be more global to allow FW_CMA2 to communicate through FW_CMA1 to CMA2 without making a local rule in FW_CMA1?

4 Replies
Highlighted
Champion
Champion

Your assumption is correct and there is no clever way to achieve this as the CMA1 does not know about any other gateways living in other CMA's. There is no easy way to let those gateway objects to be inherited by CMA1.

So your bound to do this all manually. Problem will really arise when you have DAIP gateways. Then your only option will be to allow all IP's access with the ports required for inbound traffic. To know which ports have a good look at @HeikoAnkenbrand - R80.x - Ports Used for Communication by Various Check Point Modules For outbound I would not be to worried and open up to any destination.

Regards, Maarten
Highlighted
Advisor

No DAIP, this is all internal network with static IPs. No internet access comes into play.

Highlighted
Champion
Champion

Then I would just setup a rule allowing any Internal net to the MDS-CMA ip range with the required ports and one rule in the other direction with the required ports.

Regards, Maarten
Highlighted
Advisor

we're a bit more tight then that. Add node and VIP to a group etc. End result is the same.

 

Thanks for the feedback btw!