Professional Documents
Culture Documents
11 Security Management Lab PDF
11 Security Management Lab PDF
R80.10 Training
(revised: September 14, 2018)
External Network
IP: 192.168.103.x
VMware:
suspend
Pen Test Tool
Kali
Internal Client
Kali
IP: 192.168.103.100
Win-Victim User: root/Cpwins1!
Default Gtwy: 192.168.103.254
IP: 192.168.101.100
User: jroberts/Cpwins1! Internal Network
Default Gtwy: 192.168.101.254
DMZ Network
DNS: 192.168.102.2 IP: 192.168.101.x IP: 192.168.102.x
Management
&
Gateway
Policy Review
At a high level our policy:
• Inbound from the Internet
̶ Blocks all (clean up rule 13)
• Internal
̶ Allows all between the Internal zone and the DMZ (rule 11 and rule 12)
Policy Review
• What if we want to download EXE files from the DMZ? Does our policy
allow it?
• The Destination of Any in rule 9 will block it. This may be difficult to
see in a complex policy with multiple sections and lots of rules.
• In the rule search bar, search for EXE and only the rules matching the
search are shown with the search object highlighted.
• Click x to delete the query. Notice that you can also search by token
like Action:Drop or packet. Click ? to learn more about the search
options. Packet Mode matches rules in the same way a packet with an
IP address arriving at the gateway would.
Policy Review
• Our intent for rules 4 – 10 is to control access to the Internet
and not the DMZ. There are a number of ways to fix this.
• Click + in the Destination column of rule 4.
• Type internet and we see two options (add both)
̶ All Internet address range (0.0.0.0 to 255.255.255.255)
Policy Review
Policy Review
• Right click to remove the Net_192.168.102.0 network object
from rule 4.
• Security Zones is a nice option. Using the interface topology our
rule will match packets going to the Internet and not to the DMZ
zone.
• Add the ExternalZone object to rule 4. Then drag and drop to
add it to rules 4 -10.
• Install the policy.
Policy Review
Policy Review
Search for performance, click Best Practices for Access Control Rules.
©2018 Check Point Software Technologies Ltd. [Confidential] For designated groups and individuals 11
R80 Security Management Lab
Policy Layers
One way to improve performance is to add layers to a policy.
The first connection traverses the rule base from the top to the bottom
until a match is found.
In our policy this means that packets from the DMZ traverse rules 1 – 11
first before a match is found.
Typically the DMZ includes servers accessible from the Internet such as
web servers. These may have a high hit count.
Over time we can use rule hit counts to move rules with higher hit counts
up to optimize our policy. We can also use layers; inline and ordered.
Inline Layer
Inline policies have a
parent rule.
Inline Layer
Ordered Layers
©2018 Check Point Software Technologies Ltd. [Confidential] For designated groups and individuals 14
R80 Security Management Lab
Inline Layer
Rules 4 – 8 can be moved to an inline layer.
• Click in the Action column and select Inline Layer -> New
Layer.
New layer
Inline Layer
• Name the layer Web Control
Inline Layer
• Click OK and this creates the Inline layer.
Copy
Policy Layers
• Select rule 4.1.
Paste above
Inline Layer
• This adds the rules to our inline layer. To make our layer more general remove
Net_192.168.101.0 from the Source column of rules 4.1 through 4.5. Ensure the
4.6 cleanup rule Action is Accept.
• Select rule 5 – 9, right click in the No. column, select Delete. Click OK to confirm.
Install the policy.
Inline Layer
• Monitor the Policy Installation by expanding tasks (lower left) and
notice that it fails to install.
• Click Details. This means rules 5 and 6 will never be matched. The
service Any in rule 4 will always be matched first.
Inline Layer
Lets try to solve this by creating
and inline data control layer for
rules 5 and 6 and specifying the
services that Content
Awareness matches.
• Click Close to exit the policy
install Details.
• Navigate to MANAGE &
SETTINGS -> Blades ->
Content Awareness Advanced
Settings
• Notice this blade matches ftp,
http/s, HTTP/S_proxy, and
smtp.
Inline Layer
• Navigate back to the security policy and add a rule above rule 4.
• Click in the Action column and select Inline layer -> New Layer.
Inline Layer
• Name the layer Data
Control.
• Enable Content
Awareness only.
• Enable Sharing:
Multiple policies and
rules can use this
layer.
• Select Advanced and
change the Implicit
Cleanup Action to
Accept.
• Click OK.
Inline Layer
• Instead of copying and pasting, this time drag and drop rules 6 and 7, (our content
awareness rules) to the new inline layer.
• Your policy should look like the below. Ensure the 4.3 CleanUp rule action is Accept.
• If you click in the services column of rule 4.1 you’ll notice that applications are not included.
Inline Layer
• Test the policy by browsing to sites that fall into the alcohol category.
• Notice these connections that were blocked before are now allowed.
Inline Layer
• Select the Data Control layer rule 4.3.
• Click the Logs tab and double click to open one of the logs.
• Click on the Matched Rules tab and notice rule 4 and 4.3 are
matched, but the Web Contol layer is not checked.
Ordered Layer
• To fix this we could include the content awareness rules in the Web Control layer
as before, but R77.x gateways don’t support content awareness and we’d like the
option of using the web control layer in our R77.x policies.
• When we review the packet flow in slide 14 we notice that we can use layers in
order instead of inline.
• Select rule 4. Right click in the No. column and select Delete.
Delete
Ordered Layer
• Right Click on Policy and select Edit policy.
• Click OK.
Click +
Ordered Layer
• This adds Data Control to our
Access Control policy after the
Network layer.
• Click OK.
• If we wanted to we could
change the order in Edit Policy.
Ordered Layer
• Test the policy by browsing to expressvpn.com and sites that fall into the alcohol category.
• Try downloading some of the files to verify our policy works as expected.
• Select the Data Control rule 1 and double click to open one of the logs.
• Notice the Matched Rules include the Web Control and the Data Control layers.
Ordered Layer
• Navigate to Menu -> Manage policies and layers.
• Click Layers and notice the mode of the Data Control and Web
Control layers in the Standard policy. One is inline and the
other is ordered.
Policy Layers
• Name the policy My_policy.
Policy Layers
• This creates an empty network policy with a default firewall cleanup rule and Web
Control in an ordered layer.
• Select Layers and notice that the Web Control is used as an inline layer in
Standard and as an ordered layer in My_policy.
Review Questions
©2018 Check Point Software Technologies Ltd. [Confidential] For designated groups and individuals
Check Point Community
CheckMates Community
©2018 Check Point Software Technologies Ltd. [Confidential] For designated groups and individuals 37