Level: - Intermediate
Platform : - checkpoint R61, R62, UTM, VPN-1, Nokia IP60,Nokia IP260,Nokia IP290,Nokia IP390,Nokia IP560,Nokia IP690,Nokia IP1220,Nokia IP1260,Nokia IP1280,Nokia IP2255,Nokia IP2450
Reference : - Checkpoint.com
Author : - Dinesh Aggarwal
Here we are going to discuss some best practices to be followed while creating a rule base in checkpoint firewall. By following these best practices you can expect a better performance and easy management from checkpoint firewall.Let’s start by identifying some of the general best practices that should be followed for creating an powerful rulebase
Best practices for good Rulebase
1) The firewall rulebase should be as simple as possible. The fewer rules you have, the more efficient and less error prone the rulebase will be.
2) Avoid using "Any" in the service field.
3) Use a network object instead of many workstation node objects.
4) Use groups to gather source, destination or services.
5) Anti spoofing should be configured for all the firewall interfaces.
6) Place the most commonly accessed rules on top of the rulebase. This will improve performance and make the firewall more efficient. Firewall-1 searches the rulebase in sequential order. The first rule matching a connection is applied, not the rule that matches best.
7) Use good naming conventions to represent network objects (hostname_ip address is a good naming scheme) and services.
8) Implement the "Stealth rule" to block and track connection attempts to the firewall module.
9) Prefer "Reject" to "Drop" for some services. Services such as "ident" should be rejected to allow better application performance.
10) Implement the "Cleanup" rule at the bottom of the rulebase to block and log all traffic. Firewall-1 by default does not log traffic that is dropped. By having the "Cleanup" rule, logging can be turned on for blocked connections.
Note: - When a Drop action is taken, the sender is not notified.
Following table describes what happens when a Reject action is taken.
|Difference between Reject and Drop|
|TCP||The sender is notified.|
|UDP||Sends an ICMP port unreachable error to the sender.|
|other||Same as Drop.|
11) Do NOT use the domain object in the rulebase. Domain objects may cause performance bottlenecks.
12) To avoid being flooded by logging of broadcast traffic such as bootp and NBT, create a rule to drop the packets without logging. Ident is a service used by SMTP protocol to try to identify the email clients. By "reject" the service but not "drop" it, the SMTP application will gain performance since it doesn't have to wait for the ident connection to timeout.
13) Disable Decrypt on accept property if not using VPN
That’s it, these are the basic rules for managing an effective rulesbase in checkpoint