Security Policy

Security Policy Collection of rules that control network traffic and enforce organization guidelines for data protection and access to resources with packet inspection. is a collection of rules and settings that control network traffic and enforce organization guidelines for data protection and access to resources with packet inspection.

Check Point solution provides several types of Security Policies.

Access Control Policy

Description

Access Control Policy consists of these parts:

Access Control Rule Base

For more information, see the R81 Security Management Administration Guide.

In addition, see sk120964 - ATRG: Unified Policy.

Contains unified simple and granular rules to control access from specified sources to specified destinations over specified protocols.

If you enable Identity Awareness Check Point Software Blade on a Security Gateway that enforces network access and audits data based on network location, the identity of the user, and the identity of the computer. Acronym: IDA. Software Blade Specific security solution (module): (1) On a Security Gateway, each Software Blade inspects specific characteristics of the traffic (2) On a Management Server, each Software Blade enables different management capabilities. on your Security Gateways, you can also use Access Role objects as the source and destination in a rule Set of traffic parameters and other conditions in a Rule Base (Security Policy) that cause specified actions to be taken for a communication session.. This lets you easily make rules for individuals or different groups of users.

How to get there:

Connect with SmartConsole Check Point GUI application used to manage a Check Point environment - configure Security Policies, configure devices, monitor products and events, install updates, and so on. to the Management Server Check Point Single-Domain Security Management Server or a Multi-Domain Security Management Server..
From the left navigation panel, click Security Policies.
In the Access Control section, click Policy.

Rule structure:

No	Name	Source	Destination	VPN	Services & Applications	Action	Time	Track	Install On
#	Your Rule Name	Specific Source objects	Specific Destination objects	Specific or All VPN Communities	Specific or All Service objects Specific or All Application objects	`Accept` or `Drop` or `Reject` or `User Auth` or `Client Auth`	`Any` or Specific Time object	`Log` (with `Accounting`) or `Alert` or `None`	`Policy Targets`

Name

Source

Destination

VPN

Services & Applications

Action

Time

Track

Install On

Your Rule Name

Specific Source objects

Specific Destination objects

Specific or All VPN Communities

Specific or All Service objects

Specific or All Application objects

Accept

Drop

Reject

User Auth

Client Auth

Any

Specific Time object

Log

(with Accounting)

Alert

None

Policy Targets

NAT Rule Base

For more information, see the R81 Security Management Administration Guide.

Contains automatic and manual rules for Network Address Translation (NAT).

How to get there:

Connect with SmartConsole to the Management Server.
From the left navigation panel, click Security Policies.
In the Access Control section, click NAT.

Rule structure:

No	Original Source	Original Destination	Original Services	Translated Source	Translated Destination	Translated Services	Install On	Comments
Automatic Generated Rules
NAT Rules for X (Y-Z)
#	Specific Source objects	Specific Destination objects	Specific or All Service objects	`= Original` or Specific object	`= Original` or Specific object	`= Original` or Specific object	`Policy Targets` or Specific Security Gateway Dedicated Check Point server that runs Check Point software to inspect traffic and enforce Security Policies for connected network resources. and Cluster Two or more Security Gateways that work together in a redundant configuration - High Availability, or Load Sharing. objects	Your Comment

Original Source

Original Destination

Original Services

Translated Source

Translated Destination

Translated Services

Install On

Comments

Automatic Generated Rules

NAT Rules for X (Y-Z)

Specific Source objects

Specific Destination objects

Specific or All Service objects

= Original

Specific object

= Original

Specific object

= Original

Specific object

Policy Targets

Specific Security Gateway Dedicated Check Point server that runs Check Point software to inspect traffic and enforce Security Policies for connected network resources. and Cluster Two or more Security Gateways that work together in a redundant configuration - High Availability, or Load Sharing. objects

Your Comment

Desktop Rule Base

For more information, see the SmartDashboard Legacy Check Point GUI client used to create and manage the security settings in versions R77.30 and lower. In versions R80.X and higher is still used to configure specific legacy settings. Help (press F1).

Prerequisites:

In the Security Gateway (Cluster) object, enable the IPsec VPN and the Policy Server Software Blades.
In the Policy Package, enable the Desktop Security.

This policy is installed on the Security Management Server Dedicated Check Point server that runs Check Point software to manage the objects and policies in a Check Point environment within a single management Domain. Synonym: Single-Domain Security Management Server.. Remote Access Clients download this policy when a VPN Site update is performed. Once downloaded, this policy determines access control on the Remote Access Client machines.

The Desktop Policy consists of two Rule Bases:

Inbound Rules - Control connections directed at the client machine
Outbound Rules - Control connections initiated by the client machine

How to get there:

Connect with SmartConsole to the Management Server.
From the left navigation panel, click Security Policies.
In the Access Control section, click Desktop.
Click Open Desktop Policy in SmartDashboard.
From the top, click the Desktop tab.

Rule structure:

No	Source	Desktop	Service	Action	Track	Comment
#	`Any` or Specific Source objects	`All Users@Any` or Specific User Group objects	`Any` or Specific Service objects	`Accept` or `Block` or `Encrypt`	`None` or `Log` or `Alert`	Your Comment

Source

Desktop

Service

Action

Track

Comment

Any

Specific Source objects

All Users@Any

Specific User Group objects

Any

Specific Service objects

Accept

Block

Encrypt

None

Log

Alert

Your Comment

Threat Prevention Policy

Description

For more information, see the R81 Threat Prevention Administration Guide.

Determines how the system inspects connections for bots and viruses. The primary component of the policy is the Rule Base All rules configured in a given Security Policy. Synonym: Rulebase.. The rules use the Malware database and network objects.

If you enable Identity Awareness Software Blade on your Security Gateways, you can also use Access Role objects as the scope in a rule. This lets you easily make rules for individuals or different groups of users.

How to get there:

Connect with SmartConsole to the Management Server.
From the left navigation panel, click Security Policies.
In the Threat Prevention section, click Policy.

Rule structure:

No	Name	Protected Scope	Source	Destination	Protection/ Site/ File/ Blade	Services	Action	Track	Install On	Comments
#	Your Rule Name	Specific objects	Specific Source objects	Specific Destination objects	`N/A` (or your specific objects in an exception rule)	`Any` or Specific Service objects	`Basic` or `Optimized` or `Strict` or Your Profile	`None` or `Log` or `Alert` In addition: `Packet Capture` `Forensics`	`Policy Targets` or Specific Security Gateway and Cluster objects	Your Comment

Name

Protected
Scope

Source

Destination

Protection/
Site/
File/
Blade

Services

Action

Track

Install On

Comments

Your Rule Name

Specific objects

Specific Source objects

Specific Destination objects

N/A

(or your specific objects in an exception rule)

Any

Specific Service objects

Basic

Optimized

Strict

Your Profile

None

Log

Alert

In addition:

Packet Capture

Forensics

Policy Targets

Specific Security Gateway and Cluster objects

Your Comment

HTTPS Inspection Policy

Description

For more information, see the R81 Security Management Administration Guide.

Inspects the HTTP / HTTPS traffic with these Software Blades:

Security Gateways cannot inspect HTTPS traffic because it is encrypted. You can enable the HTTPS Inspection Feature on a Security Gateway that inspects traffic encrypted by the Secure Sockets Layer (SSL) protocol for malware or suspicious patterns. Synonym: SSL Inspection. Acronyms: HTTPSI, HTTPSi. feature to let the Security Gateways create new SSL connections with the external site or server. The Security Gateways are then able to decrypt and inspect HTTPS traffic that uses the new SSL connections.

How to get there:

Connect with SmartConsole to the Management Server.
From the left navigation panel, click Security Policies.
In the HTTPS Inspection section, click Policy.

Note - In addition, in the HTTPS Tools section, click Additional Settings.

Rule structure:

No	Name	Source	Destination	Services	Category/ Custom Application	Action	Track	Blade	Install On	Certificate	Comment
#	Your Rule Name	`Any`	`APPI_global_obj_Internet` or Specific Destination objects	`TLS default services` or Specific Service objects	`Any` or Specific objects	`Inspect` or `Bypass`	`None` or `Log` or `Alert`	`All` or Specific Blade	`Policy TLS Targets` or Specific Security Gateway and Cluster objects	`Outbound Certificate` or Your Certificate for Inbound Inspection	Your Comment

Name

Source

Destination

Services

Category/
Custom
Application

Action

Track

Blade

Install On

Certificate

Comment

Your Rule Name

Any

APPI_global_obj_Internet

Specific Destination objects

TLS default services

Specific Service objects

Any

Specific objects

Inspect

Bypass

None

Log

Alert

All

Specific Blade

Policy TLS Targets

Specific Security Gateway and Cluster objects

Outbound Certificate

Your Certificate for Inbound Inspection

Your Comment

Data Loss Prevention Policy

Description

For more information, see the R81 Data Loss Prevention Administration Guide.

Prevents unintentional data leaks by catching protected data before it leaves your organization.

How to get there:

Connect with SmartConsole to the Management Server.
From the left navigation panel, click Manage & Settings.
From the left tree, click Blades.
In the Data Loss Prevention section, click Configure in SmartDashboard.
From the top, click the Data Loss Prevention tab.
From the left tree, click Policy.

Rule structure:

Flag	Name	Data	Source	Destination	Protocol	Exceptions	Action	Track	Severity	Install On	Time	Category	Comment
Category Name(Y-Z)
`No Flag` or `Follow Up` or `Improve Accuracy`	Your Rule Name	Specific Data Type Classification of data in a Check Point Security Policy for the Content Awareness Software Blade.	`My Organization` or Specific Source objects	`Outside My Org` or Specific Destination objects	`Any` or `E-mail` or `FTP` or `HTTP`	Shows: `none` or The number of exceptions added for this rule (double-click this cell)	`Detect` or `Inform User` or `Ask User` or `Prevent` or `Watermark`	`Email` or `Log` or `Alert` and how to store an incident	`Low` or `Medium` or `High` or `Critical`	`DLP Blades`	`Any`	`None` or Specific Category	Your Comment

Flag

Name

Data

Source

Destination

Protocol

Exceptions

Action

Track

Severity

Install On

Time

Geo Policy

Description

For more information, see the R81 Security Management Administration Guide.

Creates a policy for traffic to or from specific geographical or political locations.

How to get there:

Connect with SmartConsole to the Management Server.
From the left navigation panel, click Security Policies.
In the Access Control section, click Policy.
Follow sk126172 to use Updatable Objects in the Source and Destination columns.

For additional information, see the SmartConsole Online Help (press F1).

Important - From R81, Security Gateways no longer support Geo Policy configured in SmartConsole > Security Policies view > Shared Policies section > Geo Policy (Known Limitation PMTR-56212).

Rule structure:

Country	Direction	Action	Track	Comments
Specific Country object	`From and To Country` or `From Country` or `To Country`	`Accept` or `Drop`	`None` or `Log` or `Alert`	Your Comment

Country

Direction

Action

Track

Comments

Specific Country object

From and To Country

From Country

To Country

Accept

Drop

None

Log

Alert

Your Comment

Mobile Access Policy

Description

For more information, see the R81 Mobile Access Administration Guide.

Controls which user groups have access to which applications, when connecting through a Mobile Access Check Point Software Blade on a Security Gateway that provides a Remote Access VPN access for managed and unmanaged clients. Acronym: MAB. Security Gateway.

How to get there:

Connect with SmartConsole to the Management Server.
From the left navigation panel, click Manage & Settings.
From the left tree, click Blades.
In the Mobile Access section, click Configure in SmartDashboard.
From the top, click the Mobile Access tab.
From the left tree, click Policy.

Rule structure:

No	Users	Applications	Install On	Comment
#	`All Users` or Specific User objects	`Any` or Specific Custom Application objects	`Any` or Specific Security Gateway objects	Your Comment

Users

Applications

Install On

Comment

All Users

Specific User objects

Any

Specific Custom Application objects

Any

Specific Security Gateway objects

Your Comment