This website uses Cookies. Click Accept to agree to our website's cookie use as described in our Privacy Policy. Click Preferences to customize your cookie settings.
Accept
Reject
Preferences
ABOUT CHECKMATES CYBER SECURITY COMMUNITY & FAQ
Create a Post
Help
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

Are you a member of CheckMates?

×
Sign in with your Check Point UserCenter/PartnerMap account to access more great content and get a chance to win some Apple AirPods! If you don't have an account, create one now for free!
John_Fleming
Advisor
‎2020-08-27 09:31 AM

global implied management rules

I was thinking about something that I just assumed was correct but I think its worth asking. 

Say I have

MDS1 - 192.168.1.10

CMA1 192.168.1.11

CMA2 192.168.1.12

FW_CMA1 - (a firewall) 192.168.1.1 (is the only route out for anything on 192.168.1.0/24

FW_CMA2 - (a firewall) 10.1.1.1 ( live outside the 192.168.1.0/24 network and must route through FW_CMA1 in order to reach 192.168.1.0/24.

 

MDS is directly connected to a checkpoint firewall FW_CMA1.

FW_CMA1 is managed out of CMA1.

Deeper in the network we have a checkpoint managed out of CMA2 called FW_CMA2.

My understand is because the implied rules for CMA access aren't global I'll have to write a rule to allow FW_CMA2 to communicate through FW_CMA1 in order to reach CMA2 correct? 

Is that the best way to do that or is there some magic beans I don't know about that will allow implied rules to be more global to allow FW_CMA2 to communicate through FW_CMA1 to CMA2 without making a local rule in FW_CMA1?

4 Replies
Maarten_Sjouw
Champion
Champion
‎2020-08-27 10:29 AM

Your assumption is correct and there is no clever way to achieve this as the CMA1 does not know about any other gateways living in other CMA's. There is no easy way to let those gateway objects to be inherited by CMA1.

So your bound to do this all manually. Problem will really arise when you have DAIP gateways. Then your only option will be to allow all IP's access with the ports required for inbound traffic. To know which ports have a good look at @HeikoAnkenbrand - R80.x - Ports Used for Communication by Various Check Point Modules For outbound I would not be to worried and open up to any destination.

Regards, Maarten
John_Fleming
Advisor
‎2020-08-27 10:39 AM
In response to Maarten_Sjouw

No DAIP, this is all internal network with static IPs. No internet access comes into play.

Maarten_Sjouw
Champion
Champion
‎2020-08-27 01:38 PM
In response to John_Fleming

Then I would just setup a rule allowing any Internal net to the MDS-CMA ip range with the required ports and one rule in the other direction with the required ports.

Regards, Maarten
John_Fleming
Advisor
‎2020-08-27 03:17 PM
In response to Maarten_Sjouw

we're a bit more tight then that. Add node and VIP to a group etc. End result is the same.

 

Thanks for the feedback btw!

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

View All ≫
Upcoming Events

    Sort by:
    CheckMates Events