 | ||
 Implied vs Explicit Rules | ||
| CPUG | |
| The Check Point User Group | |
| A Resource For The Check Point Community. Fast. Useful. Independent. | |
|
| |||||||
 |
| | LinkBack | Thread Tools | Display Modes |
 2006-01-03 | |||
| |||
 Implied vs Explicit Rules Hi, Does anyone know where you can get information on this? For security it is recommended to switch off implied rules and have explicit rules for the services you require. I tried this and lost connectivity to my FW's because of the CPD service even though I had a rules to allow it. I had to unloadlocal and reinstall the old rulebase with implied ruls switched on. Does anyone know the correct process to remove implied rules and still have the same connectivity? Seeing as it is recommended it's hard to find any information about it. Many thanks, HH __________________ Fishing for a clue on exactly what to do....  |
| 2006-01-03 | |||
| |||
| Re: Implied vs Explicit Rules I think that you have to see all the implied rules and decide what you need. For example you must specify all the rules for the checkpoint communication ( source :module,mgmt dest: module,mgmt service: fw1,cpd.... ) and all the others that you need ( you can see on the description of the fw1-service for decide if you need that service) maurox |
| 2006-01-03 | |||
| |||
| Re: Implied vs Explicit Rules Maurox, Thanks for that. We had logged rule 0 for some time to see what was required then we compiled a rulebase with all those services - the issue was when we removed the implied rules and loaded the policy it failed on the CPD service and we had a rule to allow it but it was being dropped on a rule further down the rulebase? this was very confusing. Does it matter what the order of the explicit rules would be to cover the implied rules we removed? Our rule 6 was the one allowing from our manager to the enforecement modules the FW1 services we required yet it wasn't being used....? Do we need to load the new policy with the explicit rules while the implied rules are ON then switch off the implied rules and reload the policies? I need to get this right as we had a short outage last time while I recovered. Many thanks, HH __________________ Fishing for a clue on exactly what to do.... |
| 2006-01-03 | |||
| |||
| Re: Implied vs Explicit Rules For me the best solution is to write all the implicit rules in explicit ( with log) and after , from the log , you can see which rules you can delete. For example if you see that everything works ,after some days ,and after some test with vpn , authentication and all the others services that you normaly use , you can see on the log which rules are not used and you can delete them . |
| 2006-01-03 | |||
| |||
| Re: Implied vs Explicit Rules Maurox, Yes that is also a good way of trying it. This is an inherited rulebase so I have to be very careful with any changes I make. If I am allowed to do this I will try it out. Thanks, HH __________________ Fishing for a clue on exactly what to do.... |
|
| Thread Tools | |
| Display Modes | |
| |
Linear Mode
