The Boot Security protects the Security Gateway and its networks, during the boot:
Boot Security disables IP forwarding in the Linux OS kernel. There is never a time when IP Forwarding is active without a security policy. This protects the networks connected to the Security Gateway.
The Default Filter Policy protects the Security Gateway from the time it boots up until it installs the security policy.
Boot Security disables IP Forwarding and loads the Default Filter Policy.
There are three Default Filters templates on the Security Gateway:
Default Filter Mode |
Default Filter Policy File |
Description |
---|---|---|
Boot Filter |
|
This filter:
|
Drop Filter |
|
This filter drops all inbound and outbound packets on the Security Gateway. Best Practice - If the boot process requires that the Security Gateway communicate with other hosts, do not use the Drop Filter. |
Filter for Dynamically Assigned Gateways (DAG) |
|
This filter for Security Gateways with Dynamically Assigned IP address:
|
Important - In a cluster, you must configure all the Cluster Members in the same way.
Step |
Description |
---|---|
1 |
Make sure to configure and install a Security Policy on the Security Gateway. |
2 |
Connect to the command line on the Security Gateway. |
3 |
Log in to the Expert mode. |
4 |
Back up the current Default Filter Policy file:
|
5 |
Create a new Default Filter Policy file.
|
6 |
Compile the new Default Filter file:
|
7 |
Get the path of the Default Filter Policy file:
Example:
|
8 |
Copy new complied Default Filter file to the path of the Default Filter Policy file.
|
9 |
Make sure to connect to the Security Gateway over a serial console. If the new Default Filter Policy fails and blocks all access through the network interfaces, you can unload that Default Filter Policy and install the working policy. |
10 |
Reboot the Security Gateway. |
Administrators with Check Point INSPECT language knowledge can define customized Default Filters.
Important - Make sure your customized Default Filter policy does not interfere with the Security Gateway boot process.
Step |
Description |
---|---|
1 |
Make sure to configure and install a Security Policy on the Security Gateway. |
2 |
Connect to the command line on the Security Gateway. |
3 |
Log in to the Expert mode. |
4 |
Back up the current Default Filter Policy file:
|
5 |
Create a new Default Filter Policy file.
|
6 |
Edit the new Default Filter Policy file to include the desired INSPECT code. Important - Your customized Default Filter must not use these functions:
|
7 |
Compile the new Default Filter file:
|
8 |
Get the path of the Default Filter Policy file:
Example:
|
9 |
Copy new complied Default Filter file to the path of the Default Filter Policy file.
|
10 |
Make sure to connect to the Security Gateway over a serial console. If the new Default Filter Policy fails and blocks all access through the network interfaces, you can unload that Default Filter Policy and install the working policy. |
11 |
Reboot the Security Gateway. |
It is sometimes necessary to stop the Security Gateway for maintenance. It is not always practical to disconnect the Security Gateway from the network (for example, if the Security Gateway is on a remote site).
To stop the Security Gateway for maintenance and maintain security, you can run:
Command |
Description |
---|---|
|
|
|
Note - Only security rules that do not use user space processes continue to work. |