Security Before Firewall Activation

Boot Security

The Boot Security protects the Security Gateway and its networks, during the boot:

Disables the IP Forwarding in Linux OS kernel
Loads the Default Filter Policy

For additional information, see these commands in the R80.10 Command Line Reference Guide:

Command	Description
`$FWDIR/bin/control_bootsec {-r \| -R}`	Disables the boot security
`$FWDIR/bin/control_bootsec [-g \| -G]`	Enables the boot security
`$FWDIR/bin/comp_init_policy [-u \| -U]`	Deletes the local state policy
`$FWDIR/bin/comp_init_policy [-g \| -G]`	Creates the local state Initial Policy

Control of IP Forwarding on Boot

Boot Security disables IP forwarding in the Linux OS kernel. There is never a time when IP Forwarding is active without a security policy. This protects the networks connected to the Security Gateway.

The Default Filter

The Default Filter Policy protects the Security Gateway from the time it boots up until it installs the security policy.

Boot Security disables IP Forwarding and loads the Default Filter Policy.

There are three Default Filters templates on the Security Gateway:

Default Filter Mode	Default Filter Policy File	Description
Boot Filter	`$FWDIR/lib/defaultfilter.boot`	This filter: Drops all incoming packets that have the same source IP addresses as the IP addresses assigned to the Security Gateway interfaces Allows all outbound packets from the Security Gateway
Drop Filter	`$FWDIR/lib/defaultfilter.drop`	This filter drops all inbound and outbound packets on the Security Gateway. Best Practice - If the boot process requires that the Security Gateway communicate with other hosts, do not use the Drop Filter.
Filter for Dynamically Assigned Gateways (DAG)	`$FWDIR/lib/defaultfilter.dag`	This filter for Security Gateways with Dynamically Assigned IP address: Allows all DHCP Requests Allows all DHCP Replies Uses Boot Filter: Drops all incoming packets that have the same source IP addresses as the IP addresses assigned to the Security Gateway interfaces Allows all outbound packets from the Security Gateway

Default Filter Mode

Default Filter Policy File

Description

Boot Filter

$FWDIR/lib/defaultfilter.boot

This filter:

Drops all incoming packets that have the same source IP addresses as the IP addresses assigned to the Security Gateway interfaces
Allows all outbound packets from the Security Gateway

Drop Filter

$FWDIR/lib/defaultfilter.drop

This filter drops all inbound and outbound packets on the Security Gateway.

Best Practice - If the boot process requires that the Security Gateway communicate with other hosts, do not use the Drop Filter.

Filter for Dynamically Assigned Gateways (DAG)

$FWDIR/lib/defaultfilter.dag

This filter for Security Gateways with Dynamically Assigned IP address:

Allows all DHCP Requests
Allows all DHCP Replies
Uses Boot Filter:
1. Drops all incoming packets that have the same source IP addresses as the IP addresses assigned to the Security Gateway interfaces
2. Allows all outbound packets from the Security Gateway

Selecting the Default Filter

Important - In a cluster, you must configure all the Cluster Members in the same way.

Step	Description
1	Make sure to configure and install a Security Policy on the Security Gateway.
2	Connect to the command line on the Security Gateway.
3	Log in to the Expert mode.
4	Back up the current Default Filter Policy file: `# cp -v $FWDIR/conf/defaultfilter.pf{,_BKP}`
5	Create a new Default Filter Policy file. To create a new Boot Filter, run: `# cp -v $FWDIR/lib/defaultfilter.boot $FWDIR/conf/defaultfilter.pf` To create a new Drop Filter, run: `# cp -v $FWDIR/lib/defaultfilter.drop $FWDIR/conf/defaultfilter.pf` To create a new DAG Filter, run: `# cp -v $FWDIR/lib/defaultfilter.dag $FWDIR/conf/defaultfilter.pf`
6	Compile the new Default Filter file: `# fw defaultgen` The new complied Default Filter file for IPv4 traffic is: `$FWDIR/state/default.bin` The new complied Default Filter file for IPv6 traffic is: `$FWDIR/state/default.bin6`
7	Get the path of the Default Filter Policy file: `# $FWDIR/boot/fwboot bootconf get_def` Example: `[Expert@MyGW:0]# $FWDIR/boot/fwboot bootconf get_def` `/etc/fw.boot/default.bin` `[Expert@MyGW:0]#`
8	Copy new complied Default Filter file to the path of the Default Filter Policy file. For IPv4 traffic, run: `# cp -v $FWDIR/state/default.bin /etc/fw.boot/default.bin` For IPv6 traffic, run: `# cp -v $FWDIR/state/default.bin6 /etc/fw.boot/default.bin6`
9	Make sure to connect to the Security Gateway over a serial console. If the new Default Filter Policy fails and blocks all access through the network interfaces, you can unload that Default Filter Policy and install the working policy.
10	Reboot the Security Gateway.

Defining a Custom Default Filter

Administrators with Check Point INSPECT language knowledge can define customized Default Filters.

Important - Make sure your customized Default Filter policy does not interfere with the Security Gateway boot process.

Step	Description
1	Make sure to configure and install a Security Policy on the Security Gateway.
2	Connect to the command line on the Security Gateway.
3	Log in to the Expert mode.
4	Back up the current Default Filter Policy file: `# cp -v $FWDIR/conf/defaultfilter.pf{,_BKP}`
5	Create a new Default Filter Policy file. To use the Boot Filter as a template, run: `# cp -v $FWDIR/lib/defaultfilter.boot $FWDIR/conf/defaultfilter.pf` To use the Drop Filter as a template, run: `# cp -v $FWDIR/lib/defaultfilter.drop $FWDIR/conf/defaultfilter.pf` To use the DAG Filter as a template, run: `# cp -v $FWDIR/lib/defaultfilter.dag $FWDIR/conf/defaultfilter.pf`
6	Edit the new Default Filter Policy file to include the desired INSPECT code. Important - Your customized Default Filter must not use these functions: Logging Authentication Encryption Content Security
7	Compile the new Default Filter file: `# fw defaultgen` The new complied Default Filter file for IPv4 traffic is: `$FWDIR/state/default.bin` The new complied Default Filter file for IPv6 traffic is: `$FWDIR/state/default.bin6`
8	Get the path of the Default Filter Policy file: `# $FWDIR/boot/fwboot bootconf get_def` Example: `[Expert@MyGW:0]# $FWDIR/boot/fwboot bootconf get_def` `/etc/fw.boot/default.bin` `[Expert@MyGW:0]#`
9	Copy new complied Default Filter file to the path of the Default Filter Policy file. For IPv4 traffic, run: `# cp -v $FWDIR/state/default.bin /etc/fw.boot/default.bin` For IPv6 traffic, run: `# cp -v $FWDIR/state/default.bin6 /etc/fw.boot/default.bin6`
10	Make sure to connect to the Security Gateway over a serial console. If the new Default Filter Policy fails and blocks all access through the network interfaces, you can unload that Default Filter Policy and install the working policy.
11	Reboot the Security Gateway.

Using the Default Filter for Maintenance

It is sometimes necessary to stop the Security Gateway for maintenance. It is not always practical to disconnect the Security Gateway from the network (for example, if the Security Gateway is on a remote site).

To stop the Security Gateway for maintenance and maintain security, you can run:

Command	Description
`cpstop -fwflag –default`	Shuts down Check Point processes Loads the Default Filter policy (`defaultfilter`)
`cpstop -fwflag -proc`	Shuts down Check Point processes Keeps the currently loaded kernel policy Maintains the Connections table, so that after you run the `cpstart` command, you do not experience dropped packets because they are "out of state" Note - Only security rules that do not use user space processes continue to work.

Command

Description

cpstop -fwflag –default

Shuts down Check Point processes
Loads the Default Filter policy (defaultfilter)

cpstop -fwflag -proc

Shuts down Check Point processes
Keeps the currently loaded kernel policy
Maintains the Connections table, so that after you run the cpstart command, you do not experience dropped packets because they are "out of state"

Note - Only security rules that do not use user space processes continue to work.