CPUG: The Check Point User Group

Resources for the Check Point Community, by the Check Point Community.


First, I hope you're all well and staying safe.
Second, I want to give a "heads up" that you should see more activity here shortly, and maybe a few cosmetic changes.
I'll post more details to the "Announcements" forum soon, so be on the lookout. -E

 

Results 1 to 5 of 5

Thread: Guidelines for firewall policies

  1. #1
    Join Date
    2014-11-21
    Location
    Frankfurt
    Posts
    2
    Rep Power
    0

    Default Guidelines for firewall policies

    Hello all,

    I am about to write a guideline for my organisation, a standard how to organize a ruleset by defining some points as
    - when to group objects, be it network or service objects
    - by number of objects in group and
    - logical reasons
    - what colors to use
    - when to split rules, when to combine rules
    - naming of new services, what colors
    - how to write a proper comment
    - use of section titles
    ...
    and so on, this sort of stuff.

    The reason is to have a similar look of the policies on about 15 Gateways so
    that all engineers have the same basis on all gateways and also troubleshooting
    would be easier.

    I was wondering if somebody already wrote a document like this which I could maybe use as
    a template. It is clear that this guideline is highly dependant on the organisation that it is
    designed for, but the structure could be helpful, also for not to forget important things.

    TIA

    bigfrog
    Last edited by bigfrog; 2014-11-24 at 06:26. Reason: typo

  2. #2
    Join Date
    2014-11-14
    Location
    Ottawa Canada
    Posts
    364
    Rep Power
    6

    Default Re: Guidelines for firewall policies

    Hello.

    There is no such document in Check Point's repository. The biggest reason being that in the end, it is entirely up to you and your organization. I have a variety of usages in these regards, and while some seem rather clear to me, other seem rather chaotic (but it seems to work for them). The Firewall Admin Guide (for any version) has the closest things we have to suggestions in these regards.

    In the end, it is far more important that any such document be adhered to and enforced... I have issues where such a document, while it existed, was not adhered to and caused far more confusion than necessary.

  3. #3
    Join Date
    2007-07-12
    Posts
    143
    Rep Power
    14

    Default Re: Guidelines for firewall policies

    I wrote mine from scratch based on a number of years of experience. To give you some clues:

    - when to group objects, be it network or service objects
    more than 2 similar things exist and are likely to be used in more than 1 place.

    - by number of objects in group and
    as many as you need. add groups into groups if it helps you to organise eg: All-Servers group contains Windows-Servers and Linux-Servers groups which contain individual servers

    - logical reasons
    whatever makes sense in your organisation

    - what colors to use
    something like black or blue for internal, red for external, green or orange for DMZ, yellow for test, pink for check point things

    - when to split rules, when to combine rules
    rules should not be reflexive (object shouldn't appear in source and destination), split them instead. split based on application or business owner or protocol or whatever makes sense in your organisation

    - naming of new services, what colors
    check point have colours all over the shop so I don't bother, stick with a naming convention for new services

    - how to write a proper comment
    Rule Purpose, Business Owner, Last Updated

    - use of section titles
    Logical grouping of rules however makes sense in your organisation. I tend to do things like Inbound, Outbound, DMZ-DMZ, Management (ie non-revenue traffic), project-specific, restricted access, public access

    hope this helps.

  4. #4
    Join Date
    2013-09-25
    Location
    Bucharest
    Posts
    649
    Rep Power
    7

    Default Re: Guidelines for firewall policies

    Any attempt or version of this document would be nice to share.

  5. #5
    Join Date
    2014-11-21
    Location
    Frankfurt
    Posts
    2
    Rep Power
    0

    Default Re: Guidelines for firewall policies

    Thank you so far for your ideas and hints.
    I already started to write from scatch as marklar, but in a structured manner as this shall be a document for all engineers and technicans in the organisation working with the Checkpoint gateways. Many details of it will be matter of discussion of course but in the end there will be a guideline for all.

    I think I can share it if you are interested.

    Greets

    bigfrog

    P.S. Sorry, this thread should have been placed in the 'Best Practise' sub forum

Similar Threads

  1. Security guidelines?
    By ValerieCasady in forum Off-Topic
    Replies: 1
    Last Post: 2014-03-26, 03:36
  2. Rename Policies?
    By Pseudocyber in forum SmartDashboard
    Replies: 4
    Last Post: 2009-10-08, 17:09
  3. Policies and catalogs
    By wowbagger9 in forum Secure Access
    Replies: 2
    Last Post: 2009-04-28, 18:04
  4. No policies in GUI - ver 4.1
    By ddarby1 in forum Security Management Server (Formerly SmartCenter Server ((Formerly Management Server))
    Replies: 1
    Last Post: 2007-10-29, 02:33
  5. Patching our Nokia CP Firewal R55
    By clarkeyi in forum SmartUpdate
    Replies: 6
    Last Post: 2007-07-31, 19:28

Tags for this Thread

Bookmarks

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •