Print Download Documentation Send Feedback



Access Control

What can I do here?

Use this window to define the Access Policy.

Getting Here

Getting Here - Security Policies > Access Control

Understanding the Rule Base

The Access Control Policy is created and implemented in the Rule Base. A security policy consists of rules that define access control to and from the networks protected by Check Point Security Gateways. A well-defined access policy is essential for the Check Point Security Gateways to be an effective security solution.

The fundamental concept of the Rule Base is "a connection that is not explicitly allowed is denied".

The Rule Base specifies what communication will be allowed to pass and what will be blocked. It specifies the source and destination of the communication, what services can be used, at what times, whether to log the connection and the logging level.

Check Point Security Gateways work by inspecting packets in a sequential manner. When the Security Gateway receives a packet belonging to a connection, it compares it against the first rule in the Firewall Rule Base, then the second, then the third, and so on. When it finds a rule that matches, it stops checking and applies that rule. If the packet goes through all the rules without finding a match, then that packet is denied. It is important to understand that the first rule that matches is applied to the packet, not the rule that best matches.

Rule Base Structure

The Rule Base consists of horizontal rows and vertical columns. The rows display complete rules. The columns display the individual elements of a particular rule.


Configure rules and rule elements by selecting the rule and right-clicking on the rule element.

Rule Base Structure

Note - Captive Portal is relevant only for http traffic.

Rule Base Operations

Operations that can be performed on the Rule Base include:

Right-clicking in the cell of a rule shows options to

You can also multi-select two or more items in a cell.

Introducing Policy Layers

To simplify Policy management, R80 organizes the policy into Policy Layers. A layer is a set of rules, or a Rule Base.

For example, when you upgrade to R80 from earlier versions:

For Pre-R80 Gateways, the enforcement is the same as with earlier management versions, but it looks different in the SmartConsole.

The layers concept opens more options for policy management. These include:

Future versions will include more options with layers, including Actions for Inline Layers.

Introducing the Access Control Policy

An Access Control Policy Rule Base consists of these types of rules:

Types of Rules in the Rule Base

There are three types of rules in the Rule Base - explicit, implied and implicit.

Explicit rules

The rules that the administrator configures explicitly, to allow or to block traffic based on specified criteria.

Important - The Cleanup rule is a default explicit rule and is added with every new layer. You can change or delete the default Cleanup rule. We recommend that you have an explicit cleanup rule as the last rule in each layer.

Implied rules

The default rules that are available as part of the Global properties configuration and cannot be edited. You can only select the implied rules and configure their position in the Rule Base:

Implied rules are configured to allow connections for different services that the Security Gateway uses. For example, the Accept Control Connections rules allow packets that control these services:

Implicit cleanup rule

The default "catch-all" rule that deals with traffic that does not match any explicit or implied rules in the Policy Layers. For R77.30 or earlier versions Security Gateways, the action of the implicit rule depends on the Policy Layer:

Note - If you change the default values, the policy installation will fail.

The implicit rules do not show in the Rule Base.

Order of Rule Enforcement

When a packet arrives at the gateway, the gateway checks it against the rules in the top Policy Layer, sequentially from top to bottom, and enforces the first rule that matches a packet.

If the Action of the matching rule is Drop, the gateway stops matching against later rules in the Policy Rule Base and drops the packet. If the Action is Accept, the gateway continues to check rules in the next Policy Layer down.

If none of the rules in the Policy Layer match the packet, the explicit Default Cleanup Rule is applied. If this rule is missing, the Implicit Cleanup Rule is applied.

Important - Always add an explicit Default Cleanup Rule at the end of each Policy Layer, and make sure that its Action is the same as the Action of the Implicit Cleanup Rule.

Order in which the rules in each Access Control Policy Layer are applied:

  1. First Implied Rule - No explicit rules can be placed before it.
  2. Explicit Rules - These are the rules that you create.
  3. Before Last Implied Rules - Applied before the last explicit rule.
  4. Last Explicit Rule - We recommend that you use a Cleanup rule as the last explicit rule.

    Note - If you use the Cleanup rule as the last explicit rule, the Last Implied Rule and the Implicit Cleanup Rule are not enforced.

  5. Last Implied Rule - Remember that although this rule is applied after all other explicit and implied rules, the Implicit Cleanup Rule is still applied last.
  6. Implicit Cleanup Rule - The default rule that is applied if none of the rules in the Policy Layer match.

Best practices for performance-efficient Access Control Policy

Configuring the Implied Rules

Some of the implied rules are enabled by default. You can change the default configuration as necessary.

To configure the implied rules:

  1. In SmartConsole, from the Menu, select Global Properties.

    The Global Properties window opens.

  2. Select a rule to enable it, or clear a rule to disable it.
  3. For the enabled rules, select the position of the rules in the Rule Base:
    • First - The rule is applied before any other rule in the Rule Base
    • Last - The rule is applied if all other rules in the Rule Base were applied and none of them matched
    • Before Last - The rule is applied before the last explicit rule, if none of the other rules in the Rule Base matched
  4. Click OK and install the policy.

Choosing Rules to Track

Logs are useful if they show the traffic patterns you are interested in. Make sure your Security Policy tracks all necessary rules. But when you track multiple rules, the log file will be large, and will require more disk space and management operations.

To balance these requirements, track rules that can help you improve your network security, help you understand of user behavior, and are useful in reports.

Configuring Tracking in a policy Rule

To configure tracking in a rule:

  1. Right-click in the Track column.
  2. Select a tracking option.
  3. Install the policy.
Tracking Options

You can add these options to a Log, Full Log, or Network Log:


If an Alert is selected, Log is selected automatically.