Configuring Implied Rules or Kernel Tables for Security Gateways
Introduction
An administrator configures Security Policy
Collection of rules that control network traffic and enforce organization guidelines for data protection and access to resources with packet inspection. and other inspection settings in SmartConsole Check Point GUI application used to manage a Check Point environment - configure Security Policies, configure devices, monitor products and events, install updates, and so on..
During a policy installation, the Management Server Check Point Single-Domain Security Management Server or a Multi-Domain Security Management Server. creates the applicable files and transfers them to the target Security Gateways.
The Management Server creates these files based on:
-
Security Policy in SmartConsole
-
Global properties in SmartConsole
-
Multiple configuration files on the Management Server that control the inspection of various network protocols
It is possible to modify these configuration files on the Management Server to fine-tune the inspection in your network (in Check Point INSPECT language).
There are two main categories of these configuration files:
-
Files for Security Gateways that have the same software version as the Management Server.
-
Files for Security Gateways that have the a lower software version than the Management Server. This category is called "Backward Compatibility".
Configuration files
|
File Name |
Controls |
Location |
|---|---|---|
|
|
User-defined implied rules. |
|
|
|
Default implied rules. |
See Location of 'implied_rules.def' Files on the Management Server |
|
|
Definitions of various kernel tables. |
|
|
|
VPN encryption macros. |
|
|
|
Definitions for various kernel tables that hold VPN data. For example, VPN timeouts, number of VPN tunnels, whether a specific kernel table should be synchronized between cluster |
See Location of 'vpn_table.def' Files on the Management Server |
|
|
VPN encryption macros for X11 server (X Window System) traffic. |
See Location of 'communities.def' Files on the Management Server |
|
|
Definitions of packet inspection for various network protocols. |
|
|
|
Definitions of packet inspection for DHCP traffic - DHCP Request, DHCP Reply, and DHCP Relay. |
|
|
|
Definitions of packet inspection for GTP (GPRS Tunnelling Protocol) traffic. |
Configuration Procedure
-
Connect to the command line on the Multi-Domain Server
Dedicated Check Point server that runs Check Point software to host virtual Security Management Servers called Domain Management Servers. Synonym: Multi-Domain Security Management Server. Acronym: MDS.. -
Log in to the Expert mode.
-
Go to the context of the applicable Domain Management Server
Virtual Security Management Server that manages Security Gateways for one Domain, as part of a Multi-Domain Security Management environment. Acronym: DMS.:mdsenv <IP Address or name of Domain Management Server> -
Back up the current file:
cp -v /<Full Path to File>/<File Name>{,_BKP}Example:
cp -v $FWDIR/conf/user.def.FW1{,_BKP} -
Edit the current file:
vi /<Full Path to File>/<File Name>Example:
vi $FWDIR/conf/user.def.FW1 -
Make the applicable changes as described in the applicable SK article, or as instructed by Check Point Support.
-
Save the changes in the file and exit the editor.
-
Connect with SmartConsole to the applicable Domain Management Server.
-
In SmartConsole, install the Access Control Policy on the applicable Security Gateway or Cluster object.