Best Practices for Access Control Rules

1. Make sure you have these rules:

   • Stealth rule Set of traffic parameters and other conditions in a Rule Base (Security Policy) that cause specified actions to be taken for a communication session. that prevents direct access to the Security Gateway Dedicated Check Point server that runs Check Point software to inspect traffic and enforce Security Policies for connected network resources.

   • Cleanup rule that drops all traffic that is not allowed by the earlier rules in the policy.

2. Use Layers to add structure and hierarchy of rules in the Rule Base All rules configured in a given Security Policy. Synonym: Rulebase..

3. Add all rules that are based only on source and destination IP addresses and ports, in a Firewall/Network Ordered Layer at the top of the Rule Base.

4. Create Firewall/Network rules to explicitly accept safe traffic, and add an explicit cleanup rule at the bottom of the Ordered Layer to drop everything else.

5. Create an Application Control Check Point Software Blade on a Security Gateway that allows granular control over specific web-enabled applications by using deep packet inspection. Acronym: APPI. Ordered Layer after the Firewall/Network Ordered Layer. Add rules to explicitly drop unwanted or unsafe traffic. Add an explicit cleanup rule at the bottom of the Ordered Layer to accept everything else.

   Alternatively, put Application Control rules in an Inline Layer Set of rules used in another rule in Security Policy. as part of the Firewall/Network rules. In the parent rule of the Inline Layer, define the Source and Destination.

6. Share Ordered Layers and Inline Layers when possible.

7. For Security Gateways R80.10 and higher: If you have one Ordered Layer for Firewall/Network rules, and another Ordered Layer for Application Control - Add all rules that examine applications, Data Type Classification of data in a Check Point Security Policy for the Content Awareness Software Blade., or Mobile Access Check Point Software Blade on a Security Gateway that provides a Remote Access VPN access for managed and unmanaged clients. Acronym: MAB. elements, to the Application Control Ordered Layer, or to an Ordered Layer after it.

8. Turn off the XFF inspection, unless the Security Gateway is behind a proxy server. For more, see sk92839.

9. Disable a rule when working on it. Enable the rule when you want to use it. Disabled rules do not affect the performance of the Security Gateway. To disable a rule, right-click in the No column of the rule and select Disable.

Best Practices for Efficient rule Matching

1. Place rules that check the source, destination, and port (network rules) higher in the Rule Base.

   Reason: Network rules are matched sooner, and turn on fewer inspection engines.

2. Place rules that check applications and content (Data Types) below network rules.

3. Do not define a rule with Any in the Source and in the Destination, and with an Application or a Data Type. For example these rules are not recommended:

   Source	Destination	Services & Applications	Content
   Any	Any	Facebook
   Any	Any		Credit Card numbers

   Instead, define one of these recommended rules:

   Source	Destination	Services & Applications	Content
   Any	Internet	Facebook
   Any	Server		Credit Card numbers

   Reason for 2 and 3: Application Control and Content Awareness Check Point Software Blade on a Security Gateway that provides data visibility and enforcement. Acronym: CTNT. rules require content inspection. Therefore, they:

   • Allow the connection until the Security Gateway has inspected connection header and body.

   • May affect performance.

4. For rules with Data Types: Place rules that check File Types higher in the Rule Base than rules that check for Content Types. See Content Column.

   Reason: File Types are matched sooner than Content Types.

5. Do not use Application Control and URL Filtering Check Point Software Blade on a Security Gateway that allows granular control over which web sites can be accessed by a given group of users, computers or networks. Acronym: URLF. in the same rule, this may lead to wrong rule matching. Use Application Control and URL Filtering in separate rules. This makes sure that the URL Filtering rule is used as soon as the category is identified. For more information, see sk174045.

To see examples of some of these best practices, see the Use Cases for the Unified Rule Base and Creating a Basic Access Control Policy.