This article will guide you how to use SmartConsole to create and manage security policies on Check Point firewall devices.
– There are 4 types of security policies:
- Access Control : Firewall, Application Control & URL Filtering, Content Awareness, and Mobile Access Software Blades.
- Threat Prevention : IPS, Anti-Virus, Threat Emulation, and Threat Extraction Software Blades.
- Desktop Security : This is not enabled by default and only relevant for Remote Access VPN clients.
- QoS : Only relevant if the QoS blade is enabled.
– In this section we only mention Access Control. Access Control policy is the primary security policy, you must install it on the Security gateway, it must be set before other Security Policies such as Threat Prevention, Desktop Security. Access Policy can include multiple Software Blades: Firewall, Application Control, Identity Awareness, and Content Awareness.
– In this article, we only mention the Firewall blade. Before setting up Access Control security policy, we need to perform the following steps:
- Install Anti-Spoofing and Security Zones for Security Gateway’s Network Interfaces.
- Create network objects for components in the system: Networks, Hosts, Servers, Groups,…
- Create Access Control Security Policy rule.
1.Anti-Spoofing and Security Zones:
– Double-click up Security Gateway in SmartConsole and select Network Management tab. Currently there are 3 interfaces eth0, eth1, and eth2.
– Double-click on eth0, select Modify to set up as shown below.
– Select OK, then continue to set up eth1 as shown below.
– Select OK, then continue to set up eth2 as shown below.
2.Network objects :
– Objects are managed through Objects Panel located on the right side of the SmartConsole window.
– We will create network objects called LanNetworkin Object Panel, select New > Network.
– In the window that opens, set object name (LanNetwork), IP address and Mask.
– Part NAT (Network Address Translation) Temporarily not configured.
– Similar creation Host object DMZ-Srv (172.16.20.100)By choosing New > Host. You can change the object’s representative color in the upper left corner.
3.Create Access Control Policy:
– Go Security Policies > Access Control > Policy. Currently there is only one rule called Any > Any > Drop Cleanup rule, usually located at the bottom of the policy table to ensure that all connections that do not comply with the above rules will be dropped. At Track, select Log for Cleanup rule.
– Add new access rule, by selecting Add Rule above icon.
– This rule will allow HTTPS and SSH access from LAN to Security Gateway and SMS.
– Dien “Mgmt” in schools Nameselect LanNetwork object like Sourceand add SMS and SG in Destination,finally added HTTPS and SSH in Services & Applications.
– Change Action arrive Accept and select Track to Log . Once created, we will get something like the image below.
– To protect the Security System from unauthorized access, we will create Stealth rule. Right click up Mgmt Rule and choose New Rule > Below.
– And create a new rule as follows:
- Name: Stealth
- Source: Any
- Destination: SMS, G.W
- Services & Applications: Any
- Action: Drop
- Tracks: Log
– After creating, we will get something like the image below.
– To avoid logging unnecessary services, we can create Trash ruleslocated below Stealth rule with Any for all Source and Destinationmore udp-high-ports, bootp, NBT, and rip services arrive Services & Applications. To avoid logging, set Track to None by default.
– Below Trash ruleadd rule name Internet for Local Networks. Give http, https, ftp, and dns in Services and Applications. After creating, we will get something like the image below.
– Finally create a rule to allow access from LanNetwork to DMZ-Srv with Any service.
– R80.x Security Management Server allows multiple administrators to make changes in parallel. Make your changes visible to other administrators. You need to publish them by clicking Publish at the top of the SmartConsole window.
– We need to apply Security Policy. Select Install Policy in the upper left corner of the SmartConsole window.
– A window appears with information about the configuration number changed by the admin account. Select Publish & Install.
– When the changes are Publishwe will see the window Install Policyunchecked Threat Prevention and click Install.
– You will see the Policy installation process in the lower left corner of the SmartConsole window.
– When the installation process is complete, you will see a success message.
– Then from Lab User PC can access http and ping to DMZ-Srv.
– Select DMZ Access rule in SmartConsole and select Logs tab. You will see access logs for this rule.
– Currently we will not be able to access the internet because we have not configured NAT, we will configure it in the next section.
!!! Thank you for following the article!!!
Xem tiếp...