cancel
Showing results for 
Search instead for 
Did you mean: 
Create a Post

Placing rule in Firewall

Am fresh to Checkpoint and I got this interview question. when we have multiple Firewall in single office lets say 5 Firewall. User is requesting to stage some rule.  how do we come to know that on which firewall the policy needs to be pushed out of that 5 boxes?

I told I will do tracert and find out but they didn't agree for that. what are the other ways we can check the above and place rule 

7 Replies
Muazzam
Iron

Re: Placing rule in Firewall

There are multiple ways to find out this information.

Simplest of all would be to go on "Gateways and Servers", click on any gateway or cluster object - below you will see the details about the gateway, policy name and the date last time policy was pushed.

Re: Placing rule in Firewall

Hi Thanks for your reply. But I want to know on which firewall I want to stage the policy out the existing 5 firewalls in the office. 

0 Kudos
Admin
Admin

Re: Placing rule in Firewall

You can't answer this question without knowing the basic network topology and where the firewalls sit in relation to that.
Further, you might need to enable the rule in multiple gateways to achieve the desired effect.
0 Kudos
Employee+
Employee+

Re: Placing rule in Firewall

@Muazzam This doesn't mean that the policy was actually the correct one. 🙂 It only shows what was last pushed.

0 Kudos
Employee+
Employee+

Re: Placing rule in Firewall

I don't like this kind of interview questions as they don't give any information about the candidate's understanding about security or performance in the job. Of course you will need to have correct security policies defined on each gateway.

There is only one answer to such a dumb question. You have to define policy installation targets so that only the relevant gateways show up when you are pushing the policy. So, you cannot push incorrect policy without changing the installation targets. How do you know what gateways to define as policy targets then? Well, know your environment and what you are protecting. 🙂

Better question would have been e.g. 

- Here is a network topology with five security gateways in marked positions. Do you think the security controls are in correct places for the best security and what kind of security would you enforce on each gateway...

 

0 Kudos
JozkoMrkvicka
Platinum

Re: Placing rule in Firewall

That exactly might be the answer what was expected - "I cannot answer that question because I don't have an overview of the infrastructure".

Or you can also try to do counter-questions - "Do I have all needed privileges to figure it out? Can I access all 5 firewalls and examine their topology ? Is a user authorized to request such a rule ? Isn't requested rule in violation of our internal standards ?"

In other words, to be precise, you need to know the EXACT structure of environment and source/destination to answer that question.

Kind regards,
Jozko Mrkvicka
0 Kudos

Re: Placing rule in Firewall

I think it is important to understand the reason behind questions. From your version of the question I think they wanted to see how you would approach a small problem and how would you think in process to fix it. Also possible to see how deep you would go for a simple-looking problem after they ask you additional questions, how familiar you are with Check Point products or your understanding of troubleshooting in general.

 

So, the initial information is not enough. But was it not possible to ask them questions to get this information? For example to ask if we have a network diagram for start.

As the first step you can just check in logs with given IPs. If all firewalls connected to the same management and log server, then you would see where traffic is blocked. This log entry will show you on which firewall traffic is blocked and which policy package it is using. If there are several firewalls on the path of this traffic, you would repeat it several times. That if we have logs for this traffic, of course. Here they could ask you something like "and what if we don't see logs for this traffic"?

Most probably you know source and destination IPs, so you can check behind which firewalls these networks are. You can check how traffic will be routed through firewalls - easier in CLI, but also possible through Dashboard with some assumptions. Here you could mention some commands that you would use to do a sort of reverse engineering for the network diagram. If you found required firewalls in CLI, then you can also quickly check from CLI which policy package is installed on the gateway.

They can tell you here something like "ok, you added rules, but traffic is still not reaching the destination server and not visible in logs". You would need to explain how you would troubleshoot it further using for example fw monitor and tcp dump, or mention "Log implied rules" setting.

 

Traceroute can be just blocked on firewalls (and it is by default), so you might not see anything in the output of the source host. You would see that traffic on the gateway of course, which returns you to firewall logs. The second possibility here is that you don't have access to the source host to traceroute, as it usually is in many companies - different teams are responsible for different systems.