Create a Post
cancel
Showing results for 
Search instead for 
Did you mean: 
fjulianom
Advisor

New on Check Point firewalls - Many firewall policies

Hi community,

I am completely new on Check Point firewalls. I have been seeing videos of how configuring policies on a Check Point firewall (security gateway in Check Point terminology), and I have found it is pretty complicated. Let's say you want to create a typical LAN-to-Internet rule where you want your users have Internet service, you want to protect them againts viruses, you want to apply a web filtering profile, and usually this rule will need NAT. So far, I have seen you need four firewall policies on the security gateway, namely: one for the LAN-to-Internet firewall rule access itself, one with the same source and destination where you apply the antivirus, one with the same source and destination where you apply the web filtering, and other one where you define the NAT. Four separated rules, pretty complicated. I have hands-on experience with other vendor in which you create the firewall policy with the source and destination, and in the same policy you apply the AV profile, apply the web filtering profile, and check the NAT option, pretty simple. Is this way on Check Point? Am I right? Or am I missing anything?

Regards,
Julián

0 Kudos
18 Replies
_Val_
Admin
Admin

Which vendor are you talking about, specifically? Which appliance from that vendor did you use?

It seems like you are trying to apply some concepts that are irrelevant here. 

0 Kudos
fjulianom
Advisor

Hi,

 

I am talking about Fortinet, and any of the FortiGate model. Do you know it? I think Palo Alto firewalls have similar configuration, you can apply several security profiles within the same firewall policy.

 

Regards,

Julian 

Bob_Zimmerman
Authority
Authority

From the description, it sounds like Fortinet. I have a Fortigate and their per-rule config is definitely interesting. You match based on incoming interface, outgoing interface, source, destination, service, and schedule. Once you have your match, you define all the stuff you do to it like accept/drop, NAT, AV, URL Filtering, DNS filter, application control, DLP, and so on. I like the clarity of having one way to match the traffic, then one place to set all the actions for that traffic.

That said, that rule model makes it a lot harder to apply AV to all traffic on ports 25, 80, and 443 regardless of source and destination, for example. It also makes it harder to build an exception for one flow: you have to build a whole extra rule and set everything to be the same except for the feature you want to disable.

fjulianom
Advisor

Now it comes into my mind, if I want to configure a destination NAT to reach one of my servers from Internet, I would have to create the access rule, the NAT rule, and one IPS rule and one AV rule to protect the server. Other four more rules. In this way, you end up with a firewall with many many rules. Don't misunderstand me, I am new on CP, but I find this very hard at first sight. Just wanted to be sure the CP configuration is like that. If this is for deploying the firewall, maybe for troubleshooting is much harder as well...

 

Regards,

Julián

0 Kudos
_Val_
Admin
Admin

I would advise you to start with Check Point for Beginners Network Security Series to get working knowledge and concepts fast. In essence, if compared with Fortinet entreprize deployment, you will see that Check Point way to build policies is actually more intuitive and simple to manage. 

For small scale deployments, you can look into SMB series, where policy creation and deployment are simplified yet again. 

fjulianom
Advisor

Yeah, I am already on my way with Check Point for Beginners Network Security Series. Thank you very much.

 

Regards,

Julián

0 Kudos
G_W_Albrecht
Legend Legend
Legend

You will define NAT in Server Object itself and the NAT rule will be created automatically. You must define an Access rule, that is all as long as the IPS/TP config is finished already.

CCSE / CCTE / CTPS / CCME / CCSM Elite / SMB Specialist
0 Kudos
Bob_Zimmerman
Authority
Authority

You're making it more complicated than it needs to be. Most of my policies are a few thousand access rules, but under five Threat Prevention rules. Each rule handles AV, IPS, and more.

URL filtering is done right in the access policy. You allow the client out to Any with a service of the sites you want them to be able to hit.

NAT can be built on the objects, like @G_W_Albrecht mentioned. This has the advantage of taking care of proxy ARP for you if needed.

0 Kudos
the_rock
Legend
Legend

Im positive you are referring to Fortigate firewalls, which are way different than CP...you have web filtering profiles, operation mode, flow/proxy inspection...in CP, you dont deal with that sort of stuff, at least not the same way. You set up all threat prevention stuff in smart dashboard, under security policy -> threat prevention. Now for regular policy, its way better in R80+ than what it used to be in R77 and before.

So, say you tie specific interface to a zone, you create layered rule, say source that zone, dst any and then under action, just create new layer. That will be you parent rule with built in explicit clean up rule at the bottom. Then you create rules as per your needs. Then, you do same for other zones you configured.

Now, you can also set up another ordered layer, say for url filtering and app control and do the same, BUT, make sure if you use more than one ordered layer that traffic is accepted on ALL ordered layers.

Message me privately, I have perfect lab thats very basic and easy to understand where I can show you all this.

G_W_Albrecht
Legend Legend
Legend

True, it is complicated to configure and will work very, very well - an ideal way for me to earn some money using gained knowledge 😎

CCSE / CCTE / CTPS / CCME / CCSM Elite / SMB Specialist
the_rock
Legend
Legend

Hehe, thats true, you do have very vast knowledge sir! But, on the other hand, thats what I love about this community...everyone is always super helpful and willing to help. 

_Val_
Admin
Admin

Nah, it is not complicated at all. Try moving from Cp to PAN or Forti, there you will suffer 🙂

0 Kudos
K_montalvo
Advisor

Hello @fjulianom just wanted to share this information with you, it think theres good information that you can use to explain someone why CP is a better option;

https://community.checkpoint.com/t5/Partner-Resource-Hub/Fortinet-Competitive-Battle-Card/ta-p/85878...

 

0 Kudos
fjulianom
Advisor

Hi K_montalvo,

 

The link doesn't work ☹️

 

Regards,

Julián

0 Kudos
_Val_
Admin
Admin

The link is for partners only, hence you cannot access it.

0 Kudos
K_montalvo
Advisor

Oh sorry @fjulianom did it know that, but feel free to ask anything in this community we are a big family!

fjulianom
Advisor

No problem at all 😊

Thanks for your training recommendations!

 

Regards,

Julián

the_rock
Legend
Legend

I really meant what I said about showing you my simple lab...I know what it feels like when you are new to a product you dont know much about, so more than happy to help. 

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

Upcoming Events

    CheckMates Events