In this module, we're going to discuss policy, create and install. By the end of this training, you'll be able to create a security policy, add checkpoint best practice rules and use an inline rule. The initial policy which we saw in previous module operates by adding the predefined implied rules to the default filter. These implied rules forbid most communication yet allow the communication needed for the installation of the security policy. So it means if we have our gateway after we have reset SIC, we have this initial policy. This initial policy will allow SSH traffic to the gateway, HTTPS traffic to the gateway, SIC traffic meaning you'll be able to establish SIC with it. But if you would try to ping the gateway, this traffic will be dropped. So initial policy is everything you need to do the initial configuration, for example SSH to configure an interface or a route or over the way BY and establish it. You won't be able to have a proper Internet connection, for example, not for the gateway itself but for your local area network. They won't be able to pass through the gateway to the Internet. We know that the gateway holds a policy. The policy components are source where you're coming from, destination where you're coming to, the service if it's FTP, HTTP and so on. The basic firewall, those services are protocols such as as I mentioned, FTP, HTTP, SSH and so on. But if you'll add additional software blades, the service can be an application, which can be really, really, really cool. And of course the action, are we going to accept this traffic or maybe drop it? Checkpoint recommends best practice for your firewall. You don't have to add those rules, but we highly highly recommend that you do. The first rule is what we call the management rule. This management rule basically says that as long as you're coming from your own computer, the admin machine, so this is an object that represents your station. And as long as the traffic is the actual gateway that you have on these services, this traffic will be accepted and log. So you'll know that, happened. Basically this rule means that only you will be able to manage your gateway on these services. If anyone else would try to access the gateway, it will hit the stealth rule. Stealth rule says that any source coming to the gateway on any service would be dropped and of course log. Now, this is the second rule. So it means if your traffic is going to hit the gateway coming from the ATM machine, this is rule number one. So it's at the top of the rule base and in our rule base we go by first match. So if you're coming from this box, you should be fine, anyone else would be dropped. Noise rule is any rule that you can create that will either drop or accept certain traffic but it will be quiet because you're not going to get logs, logs are precious. You want to know what happened within your organization. So netbios is something that we're going to drop anyway and I don't want to waste any log on it. So I'm not going to log it. I don't want to waste that storage. Next is what I call the yada yada yada traffic, any traffic the organization will allow or forbid. For example, DNS is something that you want to have. So I'm saying all the DNS from any source to any destination and of course on DNS services, I'm going to accept and in my case I don't want to log it. If I have a DMZ, I can say that my PCs can access this Lenox box over HTTP, accept and of course keep track. If Linux however, the machine from the DMZ will try to access my internal network on any service I'm going to drop it. And finally, I can say that DMZ and my internal network can access any other destination over HTTP proxy, I can accept it no problem. In this case I don't have HTTPS maybe all of my services are HTTP but this is just this use case. [MUSIC] Finally, the cleanup rule, the cleanup rule is the last rule in the rule base and is used to drop and log explicitly unmatched traffic. So if we'll see it all together like this. Any traffic that I haven't specified will be matched here and will be dropped. So we take no chances, the default is security. As we discussed, the action can be either accept or drop, right? That's the default thing that we know. There's a cool thing called inline layer, inline layer does something amazing really. Instead of the action being accepted or drop, the action is going to be another set of rules. It's just like when you're playing a game and you've reached the final boss and you think you've won, but then there's another boss and you have to win that boss as well. So we can see in this example, how the actions are accept or drop, accept, accept, accept. But in some cases, there's another layer, okay? And if you'll expand it like so this is rule number four, these are the four dot something. So all of these nine rules are part of an inline layer. So if traffic arrives and only if the rule matches this parent rule only then will go ahead and look for matches here. So inline can really, really, really give you better performances because you can just ignore all of these rules and you don't have to go and filter them and look for a match if there's no match on the parent. So it's really cool and really used. In order to demonstrate it, you will need access to SmartConsole and you need to know what your organization needs or what's the limitation you want to have within your office. For this demo, I'm going to access from my admin machine. I'm going to open a SmartConsole connection to my management and once I have my policy I'm going to push it to the Gateway. In a previous module, we've used party to open up an SSH session to our gateway. Now if I'll try to re initiate it, nothing's going to happen. This traffic is being blocked because my Gateway no longer has the initial policy but it has my own policy which going to do any, any drops. So it even drops that precious SSH traffic. So I'm going to go ahead and create my own policy, in order to do that, I need to represent my organization here. How, by creating objects, I'm going to start by creating a host object to represent my admin machine. [MUSIC] Host name, the host name itself is really important but the most important feature here is the actual IP address. [MUSIC] So now if I'll go to network objects I can see the host category, I'm going to create another host to represent my AD server. [MUSIC] I can change the color, maybe blue means servers in my organization, maybe red means printers, it's up to you. [MUSIC] Okay, next I'm going to create networks. [MUSIC] Now I'm going to do something that's really, really, really, really recommended. And that is to enable that through the object itself. Hide behind my Gateway, because before I have enabled Gnats on the Gateway itself like so, which would work but it's not recommended because it doesn't give you visibility or control and which networks are going to be needed. So I'm going to uncheck it and do it by the book. Now I'm going to create another network object. Now when you do this, it's really important to make sure that you have your topology in front of you, so you'll know what objects you want to have in your organization. This is not my DMZ, this is going to be just my internal network, because in this topology I don't have a DMZ, so I'm good. [MUSIC] And again, I'm going to enable Gnats. [MUSIC] And I've successfully created the objects. Now I need to put them in my policy. Now there's something that just happened that it's a nice safety net but I prefer to modify it. And that is that by default when you add a new rule, the source, destination and service going to be none. Which is good, it's useful but I'd rather change. So I'm going to delete this rule, I'm going to managing settings. [MUSIC] Policy settings, and I can see the the default cell values. I'm going to change them to any, go back, now in order for this to take effect, I need to publish the changes. This would publish the changes on the management. So when I'll create a new rule, it's going to use those new settings. There you go, so this is my management rule and I can drag and drop, it's really nice. Next is the stealth rule. [MUSIC] My noise cancelation rule. [MUSIC] LDAP traffic, so I'm going to add my management network in my AD server. [MUSIC] And finally my Internet connectivity. [MUSIC] In my organization, I don't have proxy so I don't need those. So just HTTP and HTTPS and I'm good to go, I can go ahead and install this policy. [MUSIC] Now we fall open the putty and I'll try to restart it. Now. It works because now my I. P address it's here. So I'm allowed I'm allowed to https as a sage or iCMP my gateway but if anyone else will try to do that, it will fail and it will be dropped on the stealth roll. Next I want to create an in line rule. So to do that, let's say I have a D. M. Z. Network, I'm going to create a rule that will specifically allow traffic to D. M. Z. I'm going to place this rule here. So as long as the source is DMC network, the action is not going to be accept or drop, it's going to be an in line. I can select which blades will be enable but for now we're staying with firewall, the cleanup is going to remain any any drop but I'm going to enable the logs but I'm going to create this next rule. So if the source is D. M. Z. To any of my internal networks, we're going to drop it because I don't want my D. M. Z. Network to access those internal networks directly, so I'm going to drop it. However, F D M. Z is accessing anything else like the internet. This is allowed, I'm okay with that. Anything else will be dropped? Okay. Even though in this case 6.2 and 6.3, I don't see anything. You know what, I'll make it more secure, not secure, but maybe more visible. So I'll know exactly what's going on. So for example, if someone from the from DMC would try to FTP or ssh my Gateway, my management is going to drop it actually not my Gateway because I have the stealth but it will protect my management. And now I have an in line rule as well, I'm going to install this policy and we're done. We have a security policy with rules, best practice ones and an in line layer. Thank you for watching. And I'll see you in the next video
