replacing implicit rules with explicit ones

[justmcin]

I'm currently going through my rulebases and either removing the implicit rules, or replacing them with explicit ones. My question is what is the best way to replace a implicit object with a defined explicit object. For example, one implicit object is simply "FW1 Host", which isn't a actual object available for explicit rules. Would I just list every firewall object in an explicit rule to cover this?

Another good example is a implicit object of "ftp server". How could I create a explicit rule covering this if I don't have a list of ftp server IPs?

[stephan411]

Hallo,

why do you want to do this?

Best Regards
Stephan

[justmcin]

I don't want to do it at all, but I have to - just following orders from folks higher up the ladder. Regardless of why or how stupid it may be, I still have to do it. Any thoughts on the best, least painful way?

[Acidio]

Disabling the implied rules and explicitly defining only what is required is good security practice in my view. It does however require a good understanding of your Check Point infrastructure. Some of the implied rules you may not need. You'll need to go through step by step and indentify what breaks as a result of the changes. Obviously this is a 'brute force' approach, so doing it this way will require careful consideration.

[justmcin]

Is there a way in Checkpoint 4.0 to log the implicit rules? I know its an option in 4.1 and above.

[chillyjim]

Quote:

Originally Posted by justmcin

Is there a way in Checkpoint 4.0 to log the implicit rules? I know its an option in 4.1 and above.

I don't remember there being any way to.

You do know that 4.0 & 4.1 for that matter are past end-of-support? NG is the oldest that is supported at this point (FCS-FP3 go off support in June).

[justmcin]

Yeah I know 4.0 is EOL, but odds are we're stuck with 4.0 on a few legacy firewalls for a while.

[Acidio]

There probably is a way, however it's most likely buried in a config file somewhere. The only other way to do it would be to define the rules manually and disabled the implied rules.

Have just had a look through a 4.0 CCSA training manual and there was no mention of a way to log the implied rules.

[justmcin]

Quote:

Originally Posted by Acidio

The only other way to do it would be to define the rules manually and disabled the implied rules.

That would work for me, but my question is what is the best way to do that? In implied rules there are some pretty broad objects automatically created that aren't available for use in an explicit rule.