- Products
- Learn
- Local User Groups
- Partners
- More
Access Control and Threat Prevention Best Practices
5 November @ 5pm CET / 11am ET
Ask Check Point Threat Intelligence Anything!
October 28th, 9am ET / 3pm CET
Check Point Named Leader
2025 Gartner® Magic Quadrant™ for Hybrid Mesh Firewall
HTTPS Inspection
Help us to understand your needs better
CheckMates Go:
Spark Management Portal and More!
Hi community,
I am completely new on Check Point firewalls. I have been seeing videos of how configuring policies on a Check Point firewall (security gateway in Check Point terminology), and I have found it is pretty complicated. Let's say you want to create a typical LAN-to-Internet rule where you want your users have Internet service, you want to protect them againts viruses, you want to apply a web filtering profile, and usually this rule will need NAT. So far, I have seen you need four firewall policies on the security gateway, namely: one for the LAN-to-Internet firewall rule access itself, one with the same source and destination where you apply the antivirus, one with the same source and destination where you apply the web filtering, and other one where you define the NAT. Four separated rules, pretty complicated. I have hands-on experience with other vendor in which you create the firewall policy with the source and destination, and in the same policy you apply the AV profile, apply the web filtering profile, and check the NAT option, pretty simple. Is this way on Check Point? Am I right? Or am I missing anything?
Regards,
Julián
Which vendor are you talking about, specifically? Which appliance from that vendor did you use?
It seems like you are trying to apply some concepts that are irrelevant here.
Hi,
I am talking about Fortinet, and any of the FortiGate model. Do you know it? I think Palo Alto firewalls have similar configuration, you can apply several security profiles within the same firewall policy.
Regards,
Julian
From the description, it sounds like Fortinet. I have a Fortigate and their per-rule config is definitely interesting. You match based on incoming interface, outgoing interface, source, destination, service, and schedule. Once you have your match, you define all the stuff you do to it like accept/drop, NAT, AV, URL Filtering, DNS filter, application control, DLP, and so on. I like the clarity of having one way to match the traffic, then one place to set all the actions for that traffic.
That said, that rule model makes it a lot harder to apply AV to all traffic on ports 25, 80, and 443 regardless of source and destination, for example. It also makes it harder to build an exception for one flow: you have to build a whole extra rule and set everything to be the same except for the feature you want to disable.
Now it comes into my mind, if I want to configure a destination NAT to reach one of my servers from Internet, I would have to create the access rule, the NAT rule, and one IPS rule and one AV rule to protect the server. Other four more rules. In this way, you end up with a firewall with many many rules. Don't misunderstand me, I am new on CP, but I find this very hard at first sight. Just wanted to be sure the CP configuration is like that. If this is for deploying the firewall, maybe for troubleshooting is much harder as well...
Regards,
Julián
I would advise you to start with Check Point for Beginners Network Security Series to get working knowledge and concepts fast. In essence, if compared with Fortinet entreprize deployment, you will see that Check Point way to build policies is actually more intuitive and simple to manage.
For small scale deployments, you can look into SMB series, where policy creation and deployment are simplified yet again.
Yeah, I am already on my way with Check Point for Beginners Network Security Series. Thank you very much.
Regards,
Julián
You will define NAT in Server Object itself and the NAT rule will be created automatically. You must define an Access rule, that is all as long as the IPS/TP config is finished already.
You're making it more complicated than it needs to be. Most of my policies are a few thousand access rules, but under five Threat Prevention rules. Each rule handles AV, IPS, and more.
URL filtering is done right in the access policy. You allow the client out to Any with a service of the sites you want them to be able to hit.
NAT can be built on the objects, like @G_W_Albrecht mentioned. This has the advantage of taking care of proxy ARP for you if needed.
Im positive you are referring to Fortigate firewalls, which are way different than CP...you have web filtering profiles, operation mode, flow/proxy inspection...in CP, you dont deal with that sort of stuff, at least not the same way. You set up all threat prevention stuff in smart dashboard, under security policy -> threat prevention. Now for regular policy, its way better in R80+ than what it used to be in R77 and before.
So, say you tie specific interface to a zone, you create layered rule, say source that zone, dst any and then under action, just create new layer. That will be you parent rule with built in explicit clean up rule at the bottom. Then you create rules as per your needs. Then, you do same for other zones you configured.
Now, you can also set up another ordered layer, say for url filtering and app control and do the same, BUT, make sure if you use more than one ordered layer that traffic is accepted on ALL ordered layers.
Message me privately, I have perfect lab thats very basic and easy to understand where I can show you all this.
True, it is complicated to configure and will work very, very well - an ideal way for me to earn some money using gained knowledge 8).
Hehe, thats true, you do have very vast knowledge sir! But, on the other hand, thats what I love about this community...everyone is always super helpful and willing to help.
Nah, it is not complicated at all. Try moving from Cp to PAN or Forti, there you will suffer 🙂
Hello @fjulianom just wanted to share this information with you, it think theres good information that you can use to explain someone why CP is a better option;
Hi K_montalvo,
The link doesn't work ☹️
Regards,
Julián
The link is for partners only, hence you cannot access it.
Oh sorry @fjulianom did it know that, but feel free to ask anything in this community we are a big family!
No problem at all 😊
Thanks for your training recommendations!
Regards,
Julián
I really meant what I said about showing you my simple lab...I know what it feels like when you are new to a product you dont know much about, so more than happy to help.
Leaderboard
Epsum factorial non deposit quid pro quo hic escorol.
User | Count |
---|---|
23 | |
16 | |
12 | |
9 | |
8 | |
8 | |
7 | |
7 | |
7 | |
5 |
Tue 28 Oct 2025 @ 11:00 AM (EDT)
Under the Hood: CloudGuard Network Security for Google Cloud Network Security Integration - OverviewTue 28 Oct 2025 @ 12:30 PM (EDT)
Check Point & AWS Virtual Immersion Day: Web App ProtectionTue 28 Oct 2025 @ 11:00 AM (EDT)
Under the Hood: CloudGuard Network Security for Google Cloud Network Security Integration - OverviewTue 28 Oct 2025 @ 12:30 PM (EDT)
Check Point & AWS Virtual Immersion Day: Web App ProtectionThu 30 Oct 2025 @ 03:00 PM (CET)
Cloud Security Under Siege: Critical Insights from the 2025 Security Landscape - EMEAThu 30 Oct 2025 @ 02:00 PM (EDT)
Cloud Security Under Siege: Critical Insights from the 2025 Security Landscape - AMERAbout CheckMates
Learn Check Point
Advanced Learning
YOU DESERVE THE BEST SECURITY