The big "how do I organize my rulebase" topic

[Weaver]

Hi,

I currently manage a Checkpoint FW1/VPN1 cluster which I took over from someone else. The rulebase contains +/- 300 rules, a few hundreds of nodes, networks and groups.

I would like to reorganize everything and write a policy for managmentconventions in the future. This to increase managability in the future.

Could you guys post some tips on how you manage your rulebase?

• Nodes: What namingconvention do you use? Is the segment in the name (DMZ, External, LAN, ...).

• Groups: Namingconvention? Segment? On was basis you group? Is it acceptable to mix objects from different segments in one group?

• Colors: On what basis do you use colors? Do you use them anyway? Restrict to a few colors only?

• Rulebase: On what basis to you split up in sections? Per sourcesegment/destinationsegment? How do you name your rules or do you anyway?

• Other: What about VPN names, usergroups, users, services, ...

Are there any best practices and/or documents about this topic from Checkpoint? Thanx for brainstorming with me! :)

[betski]

Are you from a project mgmt or firewall background?

I would definitely use naming conventions but i've never read anything official from check point on this. I've seen different companies use different naming conventions\colours etc. You need to draw a network map, a resource map and review the security policy. Expand on action tracking to ascertain the best way to group objects together and where to correctly place each rule. If you're too rigid with your mgmt conventions your firewall will yield.