- CheckMates
- :
- Products
- :
- Quantum
- :
- Security Gateways
- :
- New on Check Point firewalls - Many firewall polic...
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark
- Subscribe
- Mute
- Printer Friendly Page
Are you a member of CheckMates?
×- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
New on Check Point firewalls - Many firewall policies
Hi community,
I am completely new on Check Point firewalls. I have been seeing videos of how configuring policies on a Check Point firewall (security gateway in Check Point terminology), and I have found it is pretty complicated. Let's say you want to create a typical LAN-to-Internet rule where you want your users have Internet service, you want to protect them againts viruses, you want to apply a web filtering profile, and usually this rule will need NAT. So far, I have seen you need four firewall policies on the security gateway, namely: one for the LAN-to-Internet firewall rule access itself, one with the same source and destination where you apply the antivirus, one with the same source and destination where you apply the web filtering, and other one where you define the NAT. Four separated rules, pretty complicated. I have hands-on experience with other vendor in which you create the firewall policy with the source and destination, and in the same policy you apply the AV profile, apply the web filtering profile, and check the NAT option, pretty simple. Is this way on Check Point? Am I right? Or am I missing anything?
Regards,
Julián
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Which vendor are you talking about, specifically? Which appliance from that vendor did you use?
It seems like you are trying to apply some concepts that are irrelevant here.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi,
I am talking about Fortinet, and any of the FortiGate model. Do you know it? I think Palo Alto firewalls have similar configuration, you can apply several security profiles within the same firewall policy.
Regards,
Julian
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
From the description, it sounds like Fortinet. I have a Fortigate and their per-rule config is definitely interesting. You match based on incoming interface, outgoing interface, source, destination, service, and schedule. Once you have your match, you define all the stuff you do to it like accept/drop, NAT, AV, URL Filtering, DNS filter, application control, DLP, and so on. I like the clarity of having one way to match the traffic, then one place to set all the actions for that traffic.
That said, that rule model makes it a lot harder to apply AV to all traffic on ports 25, 80, and 443 regardless of source and destination, for example. It also makes it harder to build an exception for one flow: you have to build a whole extra rule and set everything to be the same except for the feature you want to disable.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Now it comes into my mind, if I want to configure a destination NAT to reach one of my servers from Internet, I would have to create the access rule, the NAT rule, and one IPS rule and one AV rule to protect the server. Other four more rules. In this way, you end up with a firewall with many many rules. Don't misunderstand me, I am new on CP, but I find this very hard at first sight. Just wanted to be sure the CP configuration is like that. If this is for deploying the firewall, maybe for troubleshooting is much harder as well...
Regards,
Julián
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I would advise you to start with Check Point for Beginners Network Security Series to get working knowledge and concepts fast. In essence, if compared with Fortinet entreprize deployment, you will see that Check Point way to build policies is actually more intuitive and simple to manage.
For small scale deployments, you can look into SMB series, where policy creation and deployment are simplified yet again.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Yeah, I am already on my way with Check Point for Beginners Network Security Series. Thank you very much.
Regards,
Julián
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
You will define NAT in Server Object itself and the NAT rule will be created automatically. You must define an Access rule, that is all as long as the IPS/TP config is finished already.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
You're making it more complicated than it needs to be. Most of my policies are a few thousand access rules, but under five Threat Prevention rules. Each rule handles AV, IPS, and more.
URL filtering is done right in the access policy. You allow the client out to Any with a service of the sites you want them to be able to hit.
NAT can be built on the objects, like @G_W_Albrecht mentioned. This has the advantage of taking care of proxy ARP for you if needed.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Im positive you are referring to Fortigate firewalls, which are way different than CP...you have web filtering profiles, operation mode, flow/proxy inspection...in CP, you dont deal with that sort of stuff, at least not the same way. You set up all threat prevention stuff in smart dashboard, under security policy -> threat prevention. Now for regular policy, its way better in R80+ than what it used to be in R77 and before.
So, say you tie specific interface to a zone, you create layered rule, say source that zone, dst any and then under action, just create new layer. That will be you parent rule with built in explicit clean up rule at the bottom. Then you create rules as per your needs. Then, you do same for other zones you configured.
Now, you can also set up another ordered layer, say for url filtering and app control and do the same, BUT, make sure if you use more than one ordered layer that traffic is accepted on ALL ordered layers.
Message me privately, I have perfect lab thats very basic and easy to understand where I can show you all this.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
True, it is complicated to configure and will work very, very well - an ideal way for me to earn some money using gained knowledge 8).
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hehe, thats true, you do have very vast knowledge sir! But, on the other hand, thats what I love about this community...everyone is always super helpful and willing to help.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Nah, it is not complicated at all. Try moving from Cp to PAN or Forti, there you will suffer 🙂
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hello @fjulianom just wanted to share this information with you, it think theres good information that you can use to explain someone why CP is a better option;
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi K_montalvo,
The link doesn't work ☹️
Regards,
Julián
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
The link is for partners only, hence you cannot access it.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Oh sorry @fjulianom did it know that, but feel free to ask anything in this community we are a big family!
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
No problem at all 😊
Thanks for your training recommendations!
Regards,
Julián
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I really meant what I said about showing you my simple lab...I know what it feels like when you are new to a product you dont know much about, so more than happy to help.
