Print Download PDF Send Feedback

Previous

Next

Boot Security

The Boot Security protects the Security Gateway and its networks, during the boot:

Control of IP Forwarding on Boot

Boot Security disables IP forwarding in the Linux OS kernel. There is never a time when IP Forwarding is active without a security policy. This protects the networks connected to the Security Gateway.

The Default Filter

The Default Filter Policy protects the Security Gateway from the time it boots up until it installs the security policy.

Boot Security disables IP Forwarding and loads the Default Filter Policy.

There are three Default Filters templates on the Security Gateway:

Default Filter Mode

Default Filter Policy File

Description

Boot Filter

$FWDIR/lib/defaultfilter.boot

This filter:

  • Drops all incoming packets that have the same source IP addresses as the IP addresses assigned to the Security Gateway interfaces
  • Allows all outbound packets from the Security Gateway

Drop Filter

$FWDIR/lib/defaultfilter.drop

This filter drops all inbound and outbound packets on the Security Gateway.

Best Practice - If the boot process requires that the Security Gateway communicate with other hosts, do not use the Drop Filter.

Filter for Dynamically Assigned Gateways (DAG)

$FWDIR/lib/defaultfilter.dag

This filter for Security Gateways with Dynamically Assigned IP address:

  • Allows all DHCP Requests
  • Allows all DHCP Replies
  • Uses Boot Filter:
    1. Drops all incoming packets that have the same source IP addresses as the IP addresses assigned to the Security Gateway interfaces
    2. Allows all outbound packets from the Security Gateway

Selecting the Default Filter

Important - In a cluster, you must configure all the Cluster Members in the same way.

Step

Description

1

Make sure to configure and install a Security Policy on the Security Gateway.

2

Connect to the command line on the Security Gateway.

3

Log in to the Expert mode.

4

Back up the current Default Filter Policy file:

# cp -v $FWDIR/conf/defaultfilter.pf{,_BKP}

5

Create a new Default Filter Policy file.

  • To create a new Boot Filter, run:

    # cp -v $FWDIR/lib/defaultfilter.boot $FWDIR/conf/defaultfilter.pf

  • To create a new Drop Filter, run:

    # cp -v $FWDIR/lib/defaultfilter.drop $FWDIR/conf/defaultfilter.pf

  • To create a new DAG Filter, run:

    # cp -v $FWDIR/lib/defaultfilter.dag $FWDIR/conf/defaultfilter.pf

6

Compile the new Default Filter file:

# fw defaultgen

  • The new complied Default Filter file for IPv4 traffic is:

    $FWDIR/state/default.bin

  • The new complied Default Filter file for IPv6 traffic is:

    $FWDIR/state/default.bin6

7

Get the path of the Default Filter Policy file:

# $FWDIR/boot/fwboot bootconf get_def

Example:

[Expert@MyGW:0]# $FWDIR/boot/fwboot bootconf get_def
/etc/fw.boot/default.bin
[Expert@MyGW:0]#

8

Copy new complied Default Filter file to the path of the Default Filter Policy file.

  • For IPv4 traffic, run:

    # cp -v $FWDIR/state/default.bin /etc/fw.boot/default.bin

  • For IPv6 traffic, run:

    # cp -v $FWDIR/state/default.bin6 /etc/fw.boot/default.bin6

9

Make sure to connect to the Security Gateway over a serial console.

If the new Default Filter Policy fails and blocks all access through the network interfaces, you can unload that Default Filter Policy and install the working policy.

10

Reboot the Security Gateway.

Defining a Custom Default Filter

Administrators with Check Point INSPECT language knowledge can define customized Default Filters.

Important - Make sure your customized Default Filter policy does not interfere with the Security Gateway boot process.

Step

Description

1

Make sure to configure and install a Security Policy on the Security Gateway.

2

Connect to the command line on the Security Gateway.

3

Log in to the Expert mode.

4

Back up the current Default Filter Policy file:

# cp -v $FWDIR/conf/defaultfilter.pf{,_BKP}

5

Create a new Default Filter Policy file.

  • To use the Boot Filter as a template, run:

    # cp -v $FWDIR/lib/defaultfilter.boot $FWDIR/conf/defaultfilter.pf

  • To use the Drop Filter as a template, run:

    # cp -v $FWDIR/lib/defaultfilter.drop $FWDIR/conf/defaultfilter.pf

  • To use the DAG Filter as a template, run:

    # cp -v $FWDIR/lib/defaultfilter.dag $FWDIR/conf/defaultfilter.pf

6

Edit the new Default Filter Policy file to include the desired INSPECT code.

Important - Your customized Default Filter must not use these functions:

  • Logging
  • Authentication
  • Encryption
  • Content Security

7

Compile the new Default Filter file:

# fw defaultgen

  • The new complied Default Filter file for IPv4 traffic is:

    $FWDIR/state/default.bin

  • The new complied Default Filter file for IPv6 traffic is:

    $FWDIR/state/default.bin6

8

Get the path of the Default Filter Policy file:

# $FWDIR/boot/fwboot bootconf get_def

Example:

[Expert@MyGW:0]# $FWDIR/boot/fwboot bootconf get_def
/etc/fw.boot/default.bin
[Expert@MyGW:0]#

9

Copy new complied Default Filter file to the path of the Default Filter Policy file.

  • For IPv4 traffic, run:

    # cp -v $FWDIR/state/default.bin /etc/fw.boot/default.bin

  • For IPv6 traffic, run:

    # cp -v $FWDIR/state/default.bin6 /etc/fw.boot/default.bin6

10

Make sure to connect to the Security Gateway over a serial console.

If the new Default Filter Policy fails and blocks all access through the network interfaces, you can unload that Default Filter Policy and install the working policy.

11

Reboot the Security Gateway.

Using the Default Filter for Maintenance

It is sometimes necessary to stop the Security Gateway for maintenance. It is not always practical to disconnect the Security Gateway from the network (for example, if the Security Gateway is on a remote site).

To stop the Security Gateway for maintenance and maintain security, you can run:

Command

Description

cpstop -fwflag –default

  • Shuts down Check Point processes
  • Loads the Default Filter policy (defaultfilter)

cpstop -fwflag -proc

  • Shuts down Check Point processes
  • Keeps the currently loaded kernel policy
  • Maintains the Connections table, so that after you run the cpstart command, you do not experience dropped packets because they are "out of state"

Note - Only security rules that do not use user space processes continue to work.