Creating Policy on Checkpoint
Policies are definitions/filters/rules which define what traffic should be allowed/denied/rejected/dropped. Policy in general can be defined in several ways google it up if you need to learn more.
I will help you understand 5 basic policies that are defined in most environments. Before we go ahead just keep in mind that the policies are processed according to order top to bottom, so where you place and create the policy is important.
5 Policies -
Management rule - In this rule we can define who and what services can connect to our firewall. You need to administer and connect to the firewall directly for some reason from ClientA machine you would define it as
Source -->Destination -->Services -->Action --> Track --> Install on
Computer-->Firewall --> https,ssh -->Allow--> log it --> Firewall
Whole point of Distributed Topology is for the manager to connect to the firewall centrally and administer it, so you need to create a rule for that as well...
Manager-->Firewall -->https,ssh -->Allow-->log it -->Firewall
Stealth Rule - In this rule we drop traffic to the firewall unless its explicitly specified.
Any-->Firewall -->Any -->Drop-->log it -->Firewall
Network Rule - Here we define what are the services allowed to go out and connect to internet from internal network.
Netbios Rule - Generally in any network there is lot of chatter via Netbios, the same is true externally as well. This rule when applied drops all the netbios traffic from anywhere to anywhere.
Cleanup Rule - Last rule at the bottom of the list is cleanup rule. This is defined as drop anything that is not defined period.
Notice cleanup rule is at the end of the list because its deny everything. So any traffic that meets this criteria will get passed down from top to bottom and finally gets rejected.
Finally we have implied rules that are inbuilt rules that comes with checkpoint products. These rules cover "Control Connections" which will let other checkpoint products talk to each other, there is a rule that lets check point to and check/fetch updates from checkpoint website, default allow ssh and web connections for gateway admin (this is how we connected to the firewall via browser in the first place)
You can view the "Implied Rules" by going to the "Launch Menu" - "View" and select "Implied Rules" Notice the implied rules have a red tilda in front of them.
Now lets create all the 5 rules mentioned above -
On the Smart Dashboard click the "Launch Menu" --> Select "Rules" --> "Add Rules" --> "Top"
You will see an empty rule like below -
You can also click the above "Red Circled" options to create rules instead of using "Launch Menu" option.
Double Click the empty space under "Name" and enter "Management"
Next when you click the "Source" "*Any" - Here we need to specify the "Source" which can connect to the destination. As per the above 5 Policies CLientA, Manager need to connect to the firewall. You can drag and drop the objects or click "+" as shown below and select the Objects from the new popup window.
After the selections are made the "Source" should look like below...
Follow the same process for "Destination" (Drag and drop or click +) to add the firewall.
Now should look like below...
You must now decide on what services (ports) needs to be allowed from Source to destination.
After adding the services you can enable "Action" - accept, drop, reject
At the end your rule should look like below after enabling logging and selecting "Firewall" on which this is to be installed.
Now after adding all the 5 Policies should look like...
The last and final step is to SAVE the policy that we just created and INSTALL/PUSH the policy to the firewall.
Go ahead and save the policy in the first. When you save you will see a Standard profile that the checkpoint already comes with. Also if you notice you will not be able the firewall from your ClientA machine. So try to add ICMP service allow in the "INTERNAL" rule (refer the final policy screenshot above)
Now after completion the 5 Policies we created are applied on the firewall and are active. Try pinging the firewall or do tests based on the policies we created above.
Open the "Smart ViewTracker" to look at the logs.
This is the most important aspect of firewall administration is your ability to study the logs and piece together why and how traffic flows. Looking at the above you can determine
Try to Play with the filters and see how you can use them. Get familiar with the "Smart ViewTracker"
On the Smart Dashboard click the "Launch Menu" --> Select "Rules" --> "Add Rules" --> "Top"
You will see an empty rule like below -
You can also click the above "Red Circled" options to create rules instead of using "Launch Menu" option.
Double Click the empty space under "Name" and enter "Management"
Next when you click the "Source" "*Any" - Here we need to specify the "Source" which can connect to the destination. As per the above 5 Policies CLientA, Manager need to connect to the firewall. You can drag and drop the objects or click "+" as shown below and select the Objects from the new popup window.
After the selections are made the "Source" should look like below...
Follow the same process for "Destination" (Drag and drop or click +) to add the firewall.
Now should look like below...
You must now decide on what services (ports) needs to be allowed from Source to destination.
After adding the services you can enable "Action" - accept, drop, reject
At the end your rule should look like below after enabling logging and selecting "Firewall" on which this is to be installed.
Now after adding all the 5 Policies should look like...
The last and final step is to SAVE the policy that we just created and INSTALL/PUSH the policy to the firewall.
Go ahead and save the policy in the first. When you save you will see a Standard profile that the checkpoint already comes with. Also if you notice you will not be able the firewall from your ClientA machine. So try to add ICMP service allow in the "INTERNAL" rule (refer the final policy screenshot above)
Save the policy as Lab_Policy_1, Notice now on the dashboard it will reflect the policy name. Next step is to Install the policy on the firewall. Check point allows you to do version control of policy by providing you an option with "Create a database version" option. There is a little bit of over head in terms of processing the request but its a good practise to create a db version. Keep in mind the disk space limitations. With logs and backups make sure you have enough disk space.
You will see the below message once the db version is created. Click "Ok" and proceed with the policy installation on the Main Office Firewall.
Now after completion the 5 Policies we created are applied on the firewall and are active. Try pinging the firewall or do tests based on the policies we created above.
Open the "Smart ViewTracker" to look at the logs.
Clicking the Track Logs will open the Smart view tracker. Sample trace below.
We did enable ICMP to the firewall from ClientA machine.
This is the most important aspect of firewall administration is your ability to study the logs and piece together why and how traffic flows. Looking at the above you can determine
- Source - ClientA
- Dest - Firewall
- Service - ICMP
- Which interface the traffic came in - eth1
- Which rule it hit or was processed by - Management.
Try to Play with the filters and see how you can use them. Get familiar with the "Smart ViewTracker"
No comments:
Post a Comment