Menu

Check Point - Basic Config


After few requests I received from a colleague of mine I would like to upload a brief guide on the basic use configuration and troubleshooting of a Check Point firewall.

So let's start from the beginning, most of the configuration is done via the GUI client of the FW, the Smart Dashboard, to use it we just use our Login credentials and the IP of the "Management" server ( the device responsible of managing the actual Gateways – firewalls).


As soon as we enter the first thing we see is the Policy, like most firewall's out there here we'll find most of the "rules" we wish to apply on our network, by default we get a Firewall with one purpose in life – block all traffic, at this point we need to change that and add Rules that will pass some traffic ( by the Security policy of our organization ) and off course block all other.


For example – we wish to allow web access from one host in our network to any destination out there.

To create the new rule use the Rules > Add Rule > TOP 
Lets hang here for a moment, The position of the rule in the policy is very important, the firewall will look at the rules top to bottom till the first match, so if we position a rule in the wrong order we may not get the desired result.

After we create the rule, we get one that says "any source with any destination on any service/port gets dropped"

To change it simply click each section and change to the desired content, in our case we click the source the new (for new host) and put a name and IP for the host we wish to allow the web access, when we click OK the rule will become 
"New Host to any destination on any service/port get dropped". 

Now let's add one more Object, the Service, click on the service section and add the HTTP and click the Action and change to Accept.

Now we have the following rule: "from New Host to any destination on TCP Port 80 Pass" .

So basically at the moment we have 2 rules at the moment – one that allows "New Host" to use HTTP to any destination and another to block any other traffic.


Now we'll assume "New Host" is a PC in Our LAN network, and it has a privet IP, for example 192.168.0.1

As we all know a privet IP can't be router along the internet and we have to add NAT (make the firewall hide the IP for the sake of web browsing).

So we need to create a NAT statement for this type of traffic, to do so – use the NAT section.

A big surprise – another Policy page, use it same as the Firewall policy, create a new rule (remember the position is very important)

change the original source to contain our "New Host" to match our traffic, the service to HTTP and the Translated source to any Host that has Routable IP.

So that the new NAT rule will say "look for any HTTP packet with the source of New Host and change the source IP to Routable IP"

So now New Host can browse the internet, but let's say that after a few hours we saw that the user is overloading the internet line and we decided to limit the browsing a bit and block the access to youtube.com and block all Facebook application (only allow the site itself)


To do so, get to the " Application & URL filtering" section, add our gateway here (to allow thin on our Gateway) and navigate to Applications/Sites, here we'll create a new group, name it, and click add, now add all content we wish to block, in our case search for "facebook" and select everything, for Youtube we need to create a site so New > Site and add "youtube.com" and "*.youtube.com" 


Now to the Policy, in here we also create a new rule, Source will be our host (New Host) destination will be the Internet, application will be both application we just created, and of course action will be Block.


To ensure allowing all other sites, create another rule to allow everything from New Host to the internet.


This should cover some of the basic configuration on the Check Point Firewall.



Hope this post was helpful, If it was please consider a donation:
BTC Address: 1CnyMpjd1RntRDxSus2hu2aDMyzL4Kj29N
LTC Address: LUqrKbzGihTU2GEnL3EwsuuLHCsxCJMdtR

5 comments: