Best Practices for Access Control Rules

  1. Make sure you have these rules:

  2. Use Layers to add structure and hierarchy of rules in the Rule BaseClosed All rules configured in a given Security Policy. Synonym: Rulebase..

  3. Add all rules that are based only on source and destination IP addresses and ports, in a Firewall/Network Ordered Layer at the top of the Rule Base.

  4. Create Firewall/Network rules to explicitly accept safe traffic, and add an explicit cleanup rule at the bottom of the Ordered Layer to drop everything else.

  5. Create an Application ControlClosed Check Point Software Blade on a Security Gateway that allows granular control over specific web-enabled applications by using deep packet inspection. Acronym: APPI. Ordered Layer after the Firewall/Network Ordered Layer. Add rules to explicitly drop unwanted or unsafe traffic. Add an explicit cleanup rule at the bottom of the Ordered Layer to accept everything else.

    Alternatively, put Application Control rules in an Inline LayerClosed Set of rules used in another rule in Security Policy. as part of the Firewall/Network rules. In the parent rule of the Inline Layer, define the Source and Destination.

  6. Share Ordered Layers and Inline Layers when possible.

  7. For Security Gateways R80.10 and higher: If you have one Ordered Layer for Firewall/Network rules, and another Ordered Layer for Application Control - Add all rules that examine applications, Data TypeClosed Classification of data in a Check Point Security Policy for the Content Awareness Software Blade., or Mobile AccessClosed Check Point Software Blade on a Security Gateway that provides a Remote Access VPN access for managed and unmanaged clients. Acronym: MAB. elements, to the Application Control Ordered Layer, or to an Ordered Layer after it.

  8. Turn off the XFF inspection, unless the Security Gateway is behind a proxy server. For more, see sk92839.

  9. Disable a rule when working on it. Enable the rule when you want to use it. Disabled rules do not affect the performance of the Security Gateway. To disable a rule, right-click in the No column of the rule and select Disable.

Best Practices for Efficient rule Matching

  1. Place rules that check the source, destination, and port (network rules) higher in the Rule Base.

    Reason: Network rules are matched sooner, and turn on fewer inspection engines.

  2. Place rules that check applications and content (Data Types) below network rules.

  3. Do not define a rule with Any in the Source and in the Destination, and with an Application or a Data Type. For example these rules are not recommended:

    Source

    Destination

    Services &
    Applications

    Content

    Any

    Any

    Facebook

     

    Any

    Any

     

    Credit Card numbers

    Instead, define one of these recommended rules:

    Source

    Destination

    Services &
    Applications

    Content

    Any

    Internet

    Facebook

     

    Any

    Server

     

    Credit Card numbers

    Reason for 2 and 3: Application Control and Content AwarenessClosed Check Point Software Blade on a Security Gateway that provides data visibility and enforcement. See sk119715. Acronym: CTNT. rules require content inspection. Therefore, they:

    • Allow the connection until the Security Gateway has inspected connection header and body.

    • May affect performance.

  4. For rules with Data Types: Place rules that check File Types higher in the Rule Base than rules that check for Content Types. See Content Column.

    Reason: File Types are matched sooner than Content Types.

  5. Do not use Application Control and URL FilteringClosed Check Point Software Blade on a Security Gateway that allows granular control over which web sites can be accessed by a given group of users, computers or networks. Acronym: URLF. in the same rule, this may lead to wrong rule matching. Use Application Control and URL Filtering in separate rules. This makes sure that the URL Filtering rule is used as soon as the category is identified. For more information, see sk174045.

To see examples of some of these best practices, see the Use Cases for the Unified Rule Base and Creating a Basic Access Control Policy.