Create a Post
cancel
Showing results for 
Search instead for 
Did you mean: 
r1der
Collaborator

Required Rules for Gateway and SMS? Implied Rules Question.

Jump to solution

Hey all, we have a Smart-1 appliance/2 SG 6000 appliances clustered.
Our system has been updated at least twice from older hardware with existing rules.

Looking over a few rules, I'd like to clean our rules up to what is necessary to unify sec/app layer.
Are there any articles for what is needed to for the management and security gateways on R81.10?

For example, I'm looking at deleting a rule 2 for our SMS/SGs (Source) -> Internal DNS Servers (Destination) / udp&tcp 53 ->Accept.
Logs for that rule look like this. Rule 0 under a different layer is saying its Implied. 
q.png

I've disabled Rule 2, but wondering now I'm wondering if I move to a unified layer and delete the Application layer will DNS stop working? If a log exists lists an rule 0 - Implied Rule, would that be safe to determine we do not need a rule (after verifying logs are not hitting any other rules of course).

Another log example. Would this be safe to determine to delete if it is implied?  I'm not seeing a difference between my Security/App layer Implied Rules. (I'm not sure if they're the same or not?)

z.pngp.png

If you have any Policy cleanup tips that would be great too. I have rules that are too permissive that I'd like to clean up to have our network more secure.

Thanks!!

 

 

0 Kudos
1 Solution

Accepted Solutions
PhoneBoy
Admin
Admin

All of the Implied Rules should be shown here.
See also: https://supportcenter.checkpoint.com/supportcenter/portal?eventSubmit_doGoviewsolutiondetails=&solut... 

image.png

DNS has implied rules.
NTP is not covered under Implied Rules (at least the ones shown here).

However, if traffic were purely being accepted based on these implied rules, it would be accepted that way for both layers.
Which means...this "Implied Rule" is probably something different.
I'm assuming your Application layer only has App Control/URL Filtering active and not Firewall?
That might be the reason for the implied rule as DNS and NTP are handled in the Firewall, not App Control.

View solution in original post

10 Replies
the_rock
Champion
Champion

Below post should be helpful:

https://community.checkpoint.com/t5/Cloud-Network-Security/Port-Requirement-Management-Server-and-Ga...

Now, you cant disable any implied rules from GUI (as you should NOT anyway), but you can modify based on below (if need be)

https://supportcenter.checkpoint.com/supportcenter/portal?eventSubmit_doGoviewsolutiondetails=&solut...

https://supportcenter.checkpoint.com/supportcenter/portal?eventSubmit_doGoviewsolutiondetails=&solut...

As far as rules cleanup, I would look for disabled/0 hits rules and take care of those.

 

Cheers,

 

Andy

r1der
Collaborator

Thanks Andy. That thread was helpful.

DO you know if there is Gateway & SMS -to-> External requirements like NTP/DNS/CheckPoint Updates KB?
Can't seem to find the article.

0 Kudos
the_rock
Champion
Champion

Not sure if below is what you need, but this is the only one I know of. Now, this is ONLY needed if you disable option in global properties as indicated. I personally never in 15 years dealing with CP met or talked to anyone who did this, but, in all fairness, with much better handling of updatable objects, I guess it might not be so unusual to see customers do it now days.

https://supportcenter.checkpoint.com/supportcenter/portal?eventSubmit_doGoviewsolutiondetails=&solut...

r1der
Collaborator

Thanks for this. I wonder if at one point we that did have unchecked, and whoever administrated the FW at the time created explicit rules for updates.

0 Kudos
the_rock
Champion
Champion

Most likely, you must have, because Im 99.99% sure the only time anyone would have explicit rules for updates in the policy would have been if that option in global properties was off.

Andy

_Val_
Admin
Admin

Unless there is a serious security based argument, I would advise you to keep the default implied rules. 

r1der
Collaborator

Hi Val, 

I'm not interested in modifying the implied rules. I'm trying to understand them since we have rules created that seem like they are already covered under the Implied Rules. Duplicate rules?

Like if we have a rule for CheckPoint updates to 'x' destination. Is that necessary if I see logs below that rule that it is implied?

Hope I am explaining that right.

Thanks!

0 Kudos
PhoneBoy
Admin
Admin

All of the Implied Rules should be shown here.
See also: https://supportcenter.checkpoint.com/supportcenter/portal?eventSubmit_doGoviewsolutiondetails=&solut... 

image.png

DNS has implied rules.
NTP is not covered under Implied Rules (at least the ones shown here).

However, if traffic were purely being accepted based on these implied rules, it would be accepted that way for both layers.
Which means...this "Implied Rule" is probably something different.
I'm assuming your Application layer only has App Control/URL Filtering active and not Firewall?
That might be the reason for the implied rule as DNS and NTP are handled in the Firewall, not App Control.

r1der
Collaborator

Thanks PhoneBoy. I'll go over that article as well.

implied.PNGpolicy.PNG

 

You are correct! That makes sense to me, I THINK. 
--
I'm assuming it is required to have the Security layer enabled with Application & URL Filtering in order to achieve a unified policy?

PhoneBoy
Admin
Admin

In a Unified Policy, you'd have a single layer with the relevant blades enabled (Firewall and App Control in this case).