how to configure the security policy (rule base) in check point firewall r65 r70
TRANSCRIPT
Title: How to configure the Security Policy (Rule Base) in Check Point Firewall R65/R70
Author Zubair ArshadMSc Network SecurityCCSP, ASA Specialist, IPS Specialist, CCNA Security, CCNA, CCSA, MCSE, JNCIS
HLD Version 1.0
Date 15/04/2010
Network Diagram:
How to Configure the Security PolicyCreate the Policy package: Click File > Save from the main menu. Click File >New from the main menu. The New Policy Package window appears.
Insert New Policy Package Name, and Tick the box Security and Address Translation. You can also choose QOS, and Desktop Security options.
Click OK. The empty Rule base appears, and the new Policy Package name appears in the smartDashboard title bar. The Desktop and QOS tabs should not be present.
Define Basic Rules
There are two basic rules that must be used by all Check Point Security Administrators: The Cleanup Rule and Stealth Rule. Both Rules are imperative for creating security measures, and tracking important information in SmartView Tracker.
Cleanup Rule
VPN-1 drops all communication attempts that do not match a rule. The only way to monitor the dropped packets is to create a Cleanup Rule that logs all dropped traffic. The Cleanup Rule, also known as the “None of the Above” rule, drops all communication not described by any other rule, and allows you to specify logging for everything being dropped by this rule. Note: For the Cleanup Rule to be effective, add all other rules above the Cleanup Rule. The last rule in the Rule Base should always be the Cleanup Rule.
Create Cleanup Rule Select Rules > Add Rules > Top from the main menu.
A default rule appears at the top of the Rule.
Right Click the Name field of the rule and select Edit, or Double-Click the Name filed. Enter Cleanup Rule in the Rule Name field, and click OK.
Right Click the Track column of the rule, and choose the Log option from the Track drop-down menu
Right Click INSTALL ON > Add > Targets
Select the Security Gateway and Click OK
The Clecup rule appears, as follow:
Create Stealth RuleStealth Rule prevents any user from connecting directly to the Gateway. The Gateway becomes invisible to users on the network. Click on Rules > Add Rule > Above
A new default rule is added above the Cleanup Rule. Right Click the Name field of the rule and select Edit, or Double-Click the Name filed. Enter
Stealth Rule in the Rule Name field, and click OK. Right Click the Destination field, select Add, and choose the Security Gateway. Click OK
Right Click the Track column of the rule, and choose the Log option from the Track drop-down menu
Right Click INSTALL ON > Add > Targets Select the Security Gateway and Click OK The Stealth rule appears as follow:
Define Network Traffic Rule
Right Click the number column of the Cleanup Rule > Add Rule > Above
A new default rule is added above the Cleanup Rule Right Click the Name field of the rule and select Edit, or Double-Click the Name filed. Enter
Internal Network Traffic Rule in the Rule Name field, and click OK. Right Click the Source field, select Add, and choose Internal_Network object. Click OK
Destination > Any Right Click the Service column, select Add, and choose HTTP, HTTPS, and FTP. Click OK
Right Click the Action column, and select accept
Right Click the Track column of the rule, and choose the Log option from the Track drop-down menu
Right Click INSTALL ON > Add > Targets Select the Security Gateway and Click OK The Stealth rule appears as follow:
Define NetBIOS RuleThis rule reduces the amount of logged traffic by dropping all NetBIOS, BOOTP, and RIP traffic, common services processed by all networks on the Internet and Intranet.
Right Click the number column of the Internet Network Traffic Rule > Add Rule > Above A new default rule is added above the Internet Network Traffic Rule Right Click the Name field of the rule and select Edit, or Double-Click the Name filed. Enter
NetBIOS Rule in the Rule Name field, and click OK. SOURCE > Any DESTINATION > Any Right Click the Service column, select Add, and choose NBT, bootp, and RIP. Click OK Right Click INSTALL ON > Add > Targets Select the Security Gateway and Click OK The NetBIOS rule appears as follow:
Create WEB Server RuleThis rule allows any external host to access your Web Server residing in DMZ using HTTP, and FTP services.
Right Click the number column of the Internet Network Traffic Rule > Add Rule > Above A new default rule is added above the Internet Network Traffic Rule Right Click the Name field of the rule and select Edit, or Double-Click the Name filed. Enter WEB
Server Rule in the Rule Name field, and click OK. SOURCE > Any Right Click the DESTINATION field, select Add, and choose Web_Server object. Click OK
Right Click the Service column, select Add, and choose HTTP, and FTP. Click OK Right Click the Action column, and select accept Right Click the Track column of the rule, and choose the Log option from the Track drop-down
menu Right Click INSTALL ON > Add > Targets Select the Security Gateway and Click OK The NetBIOS rule appears as follow:
Verify and Install the Security PolicyBy verifying the Security Policy before installation, the Rule base is validated to ensure that no order issues preventing Policy installation are present
Click Policy > Verify
Check Security and Address Translation box in the Verify window
A Policy Verification window will appear to notify you that rules are validated. Click OK Click Policy > Install
A warning will appear
Check the option Don’t show this message again. Click OK The Install Policy window appears
Click OK to perform the installation. Installation Process – HeadOffice window shows, informing you that the installation process
was accomplished. Click OK
<End of the Document>
NAT
Defining Network Address Translation (NAT) via the network object automatically adds Rules to the Network Translation Rule Base. The Translation method can be either "Hide" or "Static".
The Global Properties section for NAT contains an option called "Automatic ARP configuration". Automatic ARP configuration ensures that ARP requests for a translated (NATed) machine, network or address range are answered by the Security Gateway. You no longer have to manually add a route on a Security Gateway to ensure proper routing of Static NAT devices. In addition, there is no longer a need for manual ARP configuration via the local.arp file.
Configuring Hide NAT
In Hide NAT, a single public address is used to represent multiple computers on the internal network with private addresses. Hide NAT allows connections to be initiated only from the protected side of the Security Gateway that is protecting this object (Check Point, or Externally Managed Gateway or Host, Gateway node, or Host node).
Enabling Hide NAT on the network object will add the appropriate rule to the NAT Rule Base. Perform the following steps to enable Hide NAT for your internal network:
1. Login to SmartDashboard.
2. Create the network object for the internal network.
3. Define the following fields:
o Name
o Network Address
o Net Mask
o Comments
o Color
4. Select the NAT tab, and enable the option "Add Automatic Address Translation rules".
5. Select the Translation method "Hide".
6. Select "Hide behind gateway". This NAT configuration hides the real address behind the IP address of the Security Gateway interface, through which the packet is routed out.
7. Click 'OK'.
8. Install the Security Policy.
Configuring Static NAT
In Static NAT, each private address is translated to a corresponding public address. Static NAT allows machines on both sides of the Security Gateway, protecting this object (Check Point, or Externally Managed Gateway or Host, Gateway node, or Host node), to initiate connections, so that, for example, internal servers can be made available externally.
Static NAT is used for Web, email, and other application servers that require routable IP addresses. These servers will be routable to the Internet, but will also retain their internal IP addresses for internal access.
Perform the following steps to enable Static NAT for your Web or email server:
1. Login to SmartDashboard.2. Create a Host Node object for the server.
3. Define the following fields:
o Name
o IP address
o Comment
o Color
4. Select the NAT tab, and enable "Add Automatic Address Translation rules".
5. Select the Translation method "Static".
6. Enter the desired IP address in the "Translate to IP address" field. The Translate to IP Address value for Static NAT is a virtual IP address, which is a public (routable) IP address that does not belong to any real machine.
7. Click 'OK'.
8. Install the Security Policy.