Title: How to configure the

Security Policy (Rule Base) in

Check Point Firewall R65/R70
Author Zubair Arshad
MSc Network Security
CCSP, ASA Specialist, IPS Specialist, CCNA Security,
CCNA, CCSA, MCSE, JNCIS

HLD 1.0
Version

Date 15/04/2010
Network Diagram:

How to Configure the Security Policy

Create the Policy package:
• Click File > Save from the main menu.
• Click File >New from the main menu. The New Policy Package window
appears.

• Insert New Policy Package Name, and Tick the box Security and Address
Translation. You can also choose QOS, and Desktop Security options.
• Click OK. The empty Rule base appears, and the new Policy Package name
appears in the smartDashboard title bar. The Desktop and QOS tabs should
not be present.
Define Basic Rules

There are two basic rules that must be used by all Check Point Security
Administrators: The Cleanup Rule and Stealth Rule. Both Rules are imperative for
creating security measures, and tracking important information in SmartView
Tracker.

Cleanup Rule

VPN-1 drops all communication attempts that do not match a rule. The only way
to monitor the dropped packets is to create a Cleanup Rule that logs all dropped
traffic. The Cleanup Rule, also known as the “None of the Above” rule, drops all
communication not described by any other rule, and allows you to specify
logging for everything being dropped by this rule.
Note: For the Cleanup Rule to be effective, add all other rules above the
Cleanup Rule. The last rule in the Rule Base should always be the Cleanup Rule.

Create Cleanup Rule

• Select Rules > Add Rules > Top from the main menu.

• A default rule appears at the top of the Rule.

• Right Click the Name field of the rule and select Edit, or Double-Click the
Name filed. Enter Cleanup Rule in the Rule Name field, and click OK.
• Right Click the Track column of the rule, and choose the Log option from the
Track drop-down menu
• Right Click INSTALL ON > Add > Targets

• Select the Security Gateway and Click OK

• The Clecup rule appears, as follow:

Create Stealth Rule

Stealth Rule prevents any user from connecting directly to the Gateway. The
Gateway becomes invisible to users on the network.
• Click on Rules > Add Rule > Above
• A new default rule is added above the Cleanup Rule.
• Right Click the Name field of the rule and select Edit, or Double-Click the
Name filed. Enter Stealth Rule in the Rule Name field, and click OK.
• Right Click the Destination field, select Add, and choose the Security
Gateway. Click OK

• Right Click the Track column of the rule, and choose the Log option from the
Track drop-down menu
• Right Click INSTALL ON > Add > Targets
• Select the Security Gateway and Click OK
• The Stealth rule appears as follow:

Define Network Traffic Rule

• Right Click the number column of the Cleanup Rule > Add Rule > Above
• A new default rule is added above the Cleanup Rule
• Right Click the Name field of the rule and select Edit, or Double-Click the
Name filed. Enter Internal Network Traffic Rule in the Rule Name field,
and click OK.
• Right Click the Source field, select Add, and choose Internal_Network
object. Click OK

• Destination > Any

• Right Click the Service column, select Add, and choose HTTP, HTTPS, and
FTP. Click OK
• Right Click the Action column, and select accept

• Right Click the Track column of the rule, and choose the Log option from the
Track drop-down menu
• Right Click INSTALL ON > Add > Targets
• Select the Security Gateway and Click OK
• The Stealth rule appears as follow:

Define NetBIOS Rule

This rule reduces the amount of logged traffic by dropping all NetBIOS,
BOOTP, and RIP traffic, common services processed by all networks on the
Internet and Intranet.
• Right Click the number column of the Internet Network Traffic Rule > Add
Rule > Above
• A new default rule is added above the Internet Network Traffic Rule
• Right Click the Name field of the rule and select Edit, or Double-Click the
Name filed. Enter NetBIOS Rule in the Rule Name field, and click OK.
• SOURCE > Any
• DESTINATION > Any
• Right Click the Service column, select Add, and choose NBT, bootp, and
RIP. Click OK
• Right Click INSTALL ON > Add > Targets
• Select the Security Gateway and Click OK
• The NetBIOS rule appears as follow:

Create WEB Server Rule

This rule allows any external host to access your Web Server residing in DMZ
using HTTP, and FTP services.

• Right Click the number column of the Internet Network Traffic Rule > Add
Rule > Above
• A new default rule is added above the Internet Network Traffic Rule
• Right Click the Name field of the rule and select Edit, or Double-Click the
Name filed. Enter WEB Server Rule in the Rule Name field, and click OK.
• SOURCE > Any
• Right Click the DESTINATION field, select Add, and choose Web_Server

object. Click OK
• Right Click the Service column, select Add, and choose HTTP, and FTP.
Click OK
• Right Click the Action column, and select accept
• Right Click the Track column of the rule, and choose the Log option from the
Track drop-down menu
• Right Click INSTALL ON > Add > Targets
• Select the Security Gateway and Click OK
• The NetBIOS rule appears as follow:

Verify and Install the Security Policy

By verifying the Security Policy before installation, the Rule base is validated to
ensure that no order issues preventing Policy installation are present

• Click Policy > Verify

• Check Security and Address Translation box in the Verify window

• A Policy Verification window will appear to notify you that rules are
validated. Click OK
• Click Policy > Install

• A warning will appear

• Check the option Don’t show this message again. Click OK

• The Install Policy window appears
• Click OK to perform the installation.
• Installation Process – HeadOffice window shows, informing you that the
installation process was accomplished. Click OK

<End of the Document>

 NAT

Defining Network Address Translation (NAT) via the network object

automatically adds Rules to the Network Translation Rule Base. The
Translation method can be either "Hide" or "Static".

The Global Properties section for NAT contains an option called "Automatic
ARP configuration". Automatic ARP configuration ensures that ARP requests
for a translated (NATed) machine, network or address range are answered by
the Security Gateway. You no longer have to manually add a route on a
Security Gateway to ensure proper routing of Static NAT devices. In addition,
there is no longer a need for manual ARP configuration via the local.arp
file.

Configuring Hide NAT

In Hide NAT, a single public address is used to represent multiple computers on

the internal network with private addresses. Hide NAT allows connections to be
initiated only from the protected side of the Security Gateway that is protecting
this object (Check Point, or Externally Managed Gateway or Host, Gateway
node, or Host node).

Enabling Hide NAT on the network object will add the appropriate rule to the
NAT Rule Base. Perform the following steps to enable Hide NAT for your
internal network:

1. Login to SmartDashboard.
2. Create the network object for the internal network.
3. Define the following fields:
o Name
o Network Address
o Net Mask
o Comments
o Color
4. Select the NAT tab, and enable the option "Add Automatic
Address Translation rules".
5. Select the Translation method "Hide".
6. Select "Hide behind gateway". This NAT configuration
hides the real address behind the IP address of the
Security Gateway interface, through which the packet is
routed out.
7. Click 'OK'.
8. Install the Security Policy.
Configuring Static NAT

In Static NAT, each private address is translated to a corresponding public

address. Static NAT allows machines on both sides of the Security Gateway,
protecting this object (Check Point, or Externally Managed Gateway or Host,
Gateway node, or Host node), to initiate connections, so that, for example,
internal servers can be made available externally.

Static NAT is used for Web, email, and other application servers that require
routable IP addresses. These servers will be routable to the Internet, but will
also retain their internal IP addresses for internal access.

Perform the following steps to enable Static NAT for your Web or email server:

1. Login to SmartDashboard.
2. Create a Host Node object for the server.
3. Define the following fields:
o Name
o IP address
o Comment
o Color
4. Select the NAT tab, and enable "Add Automatic Address
Translation rules".
5. Select the Translation method "Static".
6. Enter the desired IP address in the "Translate to IP
address" field. The Translate to IP Address value for Static
NAT is a virtual IP address, which is a public (routable) IP
address that does not belong to any real machine.
7. Click 'OK'.
8. Install the Security Policy.