The one caveat I would give with Bruce's advice is to first scour the Check
Point Knowledgebase for "implied rules". You'll find several articles where
certain services are included in implied rules but do not show up in the
implied rules when you view them. I recall that many of them had to do with
remote access.
Ray
From: Warrington Bruce - bwarri <[EMAIL PROTECTED]>
Reply-To: Mailing list for discussion of Firewall-1
<[email protected]>
To: [email protected]
Subject: Re: [FW-1] FIREWALL SETTING
Date: Fri, 7 Jul 2006 11:40:43 -0500
I disable all implied rules, and code in explicitly what should be
allowed. Implied rules are meant to get the firewall working with a
minimum of support calls to Checkpoint, since new firewall admins
wouldn't think to code those ports in, or don't know what's required,
and would lose connectivity to the enforcement points the first time
they push a policy without it.
There's nothing in the implied rules that can't be coded explicitly into
normal rules, but there are probably (depending on your situation) many
implied rules that open ports you don't need. A classic audit problem
is a port scan from the internet showing Checkpoint ports responding on
the internet side of your firewall, when you have no reason to have them
open there (assuming you don't have to manage it from the internet
interface).
Code up the explicit rules you need ahead of your firewall stealth rule
in the policy, and turn off all implied rules. You then have one place
to view / audit the entire security policy, and you're only allowing
what you need, to the management stations or other devices that are
required to have access.
-----Original Message-----
From: Mailing list for discussion of Firewall-1
[mailto:[EMAIL PROTECTED] On Behalf Of Garner,
Annette K **BETH
Sent: Friday, July 07, 2006 10:58
To: [email protected]
Subject: [FW-1] FIREWALL SETTING
What is the normal setup for the firewall in "Accept Firewall-1 control
connections". Is it better to have this enabled or disabled.
I am getting audited and just want to see what is the best practice.
Thanks
=================================================
To set vacation, Out-Of-Office, or away messages, send an email to
[EMAIL PROTECTED]
in the BODY of the email add:
set fw-1-mailinglist nomail
=================================================
To unsubscribe from this mailing list,
please see the instructions at
http://www.checkpoint.com/services/mailing.html
=================================================
If you have any questions on how to change your subscription options,
email [EMAIL PROTECTED]
=================================================
*************************************************************************
The information contained in this communication is confidential, is
intended only for the use of the recipient named above, and may be
legally privileged.
If the reader of this message is not the intended recipient, you are
hereby notified that any dissemination, distribution or copying of this
communication is strictly prohibited.
If you have received this communication in error, please resend this
communication to the sender and delete the original message or any copy
of it from your computer system.
Thank you.
*************************************************************************
=================================================
To set vacation, Out-Of-Office, or away messages,
send an email to [EMAIL PROTECTED]
in the BODY of the email add:
set fw-1-mailinglist nomail
=================================================
To unsubscribe from this mailing list,
please see the instructions at
http://www.checkpoint.com/services/mailing.html
=================================================
If you have any questions on how to change your
subscription options, email
[EMAIL PROTECTED]
=================================================
=================================================
To set vacation, Out-Of-Office, or away messages,
send an email to [EMAIL PROTECTED]
in the BODY of the email add:
set fw-1-mailinglist nomail
=================================================
To unsubscribe from this mailing list,
please see the instructions at
http://www.checkpoint.com/services/mailing.html
=================================================
If you have any questions on how to change your
subscription options, email
[EMAIL PROTECTED]
=================================================
