Decreasing Security Gateway Exposure with Policy

Security Gateway Stealth Rule

Recommendation: Configure a Stealth Rule to drop traffic that is directed to the Security Gateway itself, except for explicitly required management and control traffic.

Security Gateways are frequently scanned. A Stealth Rule reduces the Security Gateway's exposure and limits which hosts can reach Security Gateway services.

Item	Default (Typical)	Recommended
Security Gateway is reachable on data plane interfaces	Depends on policy	Allow only required traffic that is directed to the Security Gateway. Drop all other traffic directed to the Security Gateway.
Logging of stealth drops	Depends on policy	Enable during rollout, then tune to reduce noise.

Item

Default (Typical)

Recommended

Security Gateway is reachable on data plane interfaces

Depends on policy

Allow only required traffic that is directed to the Security Gateway.

Drop all other traffic directed to the Security Gateway.

Logging of stealth drops

Depends on policy

Enable during rollout, then tune to reduce noise.

Example policy pattern (simplified):

Allow & Log: Admin Jump Hosts and Specific Admin user groups -> Security Gateway (HTTPS / SSH / API as used)
Drop & Log: Any -> Security Gateway (all other traffic directed to Security Gateway)

Implementation reference:

R82.10 Security Management Administration Guide > Creating an Access Control Policy, Best Practices for Access Control Rules

Limit and Log Implied Rules

Recommendation: Review implied rules settings, only enable those that are necessary and ensure that logging for implied rules remain enabled.

Implied Rules allow essential Check Point internal communication, connectivity for essential features (e.g. VPN & Remotes Access).

Reducing these to the minimum will reduce the potential attack surface and logging them improves auditability and troubleshooting without breaking functionality.

Item	Default (Typical)	Recommended
Implied rules execution	Enabled	Keep enabled unless you implement full explicit replacement.
Logging for implied rules	Disabled	Enable logging for visibility and troubleshooting.

Operational note: Disabling implied rules without correct explicit rules can cause policy install failures and loss of management / log connectivity.

Check Point Security Gateway clusters using static IP addresses, without remote access enabled, should be set up as follows:

Implementation reference:

R82.10 Security Management Administration Guide > Creating an Access Control Policy, Implied Rules.