Configuring Security Policy

This section describes how to work with Security Policy in small-scale deployment.

Creating the Security Policy

R80.20 and higher versions supports ordered layers and inline layers for a policy, which is a set of rules that the gateway enforces on incoming and outgoing traffic. You can build a Rule Base with layers, each layer with its own set of security rules. Layers are inspected in the order in which they are defined, which gives control over the Rule Base flow and precedence of security functionality. If an "Accept" action is done in a layer, inspection continues in the next layer.

Sub-policies are sets of rules that you attach to specific rules. If the rule is matched, inspection continues in the sub-policy attached to the rule. If the rule is not matched, the sub-policy is skipped. For example, a sub-policy can manage a network segment or branch office.

Policy layers and sub-policies can be managed by specific administrators, according to their permission profiles.

Working with Security Zone Objects

A security zone object is a logical object that represents the network behind a specified interface. For example, an InternalZone object represents the internal network IP addresses behind all of the internal gateway interfaces.

You can use security zone objects to create a generic Security Policy and reduce the amount of rules necessary in the Rule Base. This Security Policy can be applied to numerous Check Point gateways. Resolution of the Security Zone is done by the actual association on the Check Point appliance gateway object in SmartConsole.

Workflow

  1. Associate a Security Zone object with an interface in the gateway object.

  2. Use the Security Zone object in a rule.

  3. Install policy.

To associate a Security Zone object with an interface in the gateway object:

  2. Double-click a Check Point appliance gateway object.

  3. From Topology, select the applicable interface and click Edit.

  4. In the Security Zone field, select one of the predefined Security Zones.

  5. Optional - If you want to create a new Security Zone, click New, enter the details, and click OK.

  6. to close the Interface Properties window.

  7. to close the object window.

To create a rule with a Security Zone:

After you associated a security zone object to the applicable interface on the gateway, you can use it in a rule. To create a rule with a security zone, just add the security zone object to the Source or Destination cell.

For example, to create a rule that allows internal users access to any external network, create a rule with these fields:

Policy Field

Value

Source

InternalZone

Destination

ExternalZone

Action

Accept

Install On

One of these:

  • Gateway or Cluster object

  • SmartLSM Security Profile object

  2. In the top section, click Access Control > Policy.

  3. Use the Add Rule buttons to position the rule in the Rule Base.

  4. Click in the Name column of the new rule and enter the applicable text.

  5. In the Source column of the new rule, click the + icon and select InternalZone from the list.

  6. In the Destination column of the new rule, click the + icon and select ExternalZone from the list.

  7. In the Action column of the new rule, select Accept.

  8. In the Install On column of the new rule, click the + icon and select the applicable object.

  9. .

Working with Updatable Objects

An updatable object is a network object which represents an external service, such as Office 365, AWS, Geo locations, and more. You can select from the list of updatable objects. The categories depend on the online service update.

External services providers publish lists of IP addresses or Domains or both to allow access to their services. These lists are dynamically updated. Updatable objects derive their contents from these published lists of the providers, which Check Point uploads to the Check Point cloud. The updatable objects are updated automatically on the Security Gateway each time the provider changes a list. There is no need to install policy for the updates to take effect.

For more information, see the Quantum Security Management Administration Guide for your version > Chapter Managing Objects > Section Network Object Types > Section Updatable Objects.

Notes:

  • Online services - Office 365, AWS, Azure, Google, and more.

  • GEO locations - The GEO database provides mapping of location data to IP addresses. For each location, there is a network object you can import to SmartConsole. You can block or allow access to and from specific locations based on their IP addresses.

  • For each country/continent, Check Point provides a Network Object that can be imported to SmartConsole.

  • Each country/continent object matches a list of IP addresses according to the external service (MaxMind) database.

  • These objects are updated automatically on the gateway every time there is an update in the MaxMind database (no need to install policy).

  • When the source or destination IP address matches an updatable object, the action is selected according to the policy.

Known Limitations:

  • Rules with updatable objects as a destination are ignored for HTTP/HTTPS traffic when an external proxy is used.

  • Updatable objects cannot be used in Threat Prevention policy.

  • Updatable objects cannot be used in HTTPS Inspection policy.

Installing a Security Policy

Use this procedure to prepare the policy for automatic installation when the gateway connects.

Note - If the Quantum Spark appliance is physically set up and configured, when you successfully complete this step, the policy is pushed to the gateway. For a list of possible statuses, see Viewing the Policy Installation Status.

At the end of the Install Policy process, the policy status for a Quantum Spark appliance that is not yet set up is "Waiting for first connection". This implies that trusted communication is not yet established between the Security Management Server and the Quantum Spark appliance. When the gateway connects it establishes trust and attempts to install the policy automatically.

To install a Security Policy in SmartProvisioning GUI:

  1. Click Policy > Install from the menu.

    The Install Policy window opens.

  2. Select the installation targets - the Quantum Spark appliance Security Gateways on which to install the policy and the policy components (such as Network Security or QoS).

    By default, all gateways that are managed by the Security Management Server are available for selection.

  3. In the Installation Mode section, select how the Security Policy should be installed:

    • On each selected gateway independently - For an appliance in the Management First deployment mode, only this option should be used.

    • On all selected gateways, if it fails do not install on gateways of the same version

  4. .

    Important - If the Quantum Spark appliance object that is defined by the appliance is not set up and is in Waiting for first connection status, you see this message: Installation completed successfully. This means that the policy is successfully prepared for installation.

Continue tracking the status of the Security Policy installation with the Policy Installation and the status bar.

Viewing the Policy Installation Status

You can see the installation status of managed gateways with the status bar that shows at the bottom of the SmartConsole window. The status bar shows how many gateways are in Pending or Failed mode.

  • Pending - gateways that are in the waiting for first connection status or are in the pending status (see below for detailed explanations).

  • Failed - gateways that have failed to install the policy.

The status bar is updated dynamically each time a gateway tries to install a policy or tries to connect to the Security Management Server. The results of these actions are also shown in SmartConsole popup notification balloons when such events occur. You can configure these notifications.

To monitor the status of the last policy installed on each gateway, you can use the Policy Installation Status window.

The window has two sections. The top section shows a list of gateways and status details regarding the installed policy. You can use the filter fields to see only policies of interest and hide other details by defining the applicable criteria for each field. After you apply the filtering criteria, only entries that match the selected criteria are shown. If the system logs trusted communication (SIC) attempts from unknown gateways, a yellow status bar opens below the filter fields.

The bottom section shows details of a row you select in the gateway list (errors that occurred, the date the policy was prepared, verification warnings). If there is a yellow status bar, click Show details to show the details of unknown gateways that try to connect to the Security Management Server.

Table: Policy Installation Statuses

Icon

Policy Status

Description

Succeeded

Policy installation succeeded.

Succeeded

Policy installation succeeded but there are verification warnings.

Waiting for first connection

A Quantum Spark appliance object is configured, but the gateway is not connected to the Security Management Server (initial trust is not established).

  • If a policy is prepared, it is pulled when the gateway is connected.

  • If a policy is not prepared, the Policy Type column shows "No Policy Prepared." When the gateway is first connected, only trust is established.

Waiting for first connection

Same as above, with warnings that attempts to establish trust failed or there are verification warnings.

Pending

The policy remains in the pending status until the gateway successfully connects to the Security Management Server and retrieves the policy. This status is shown only if there was at least one successful policy installation. For example, when the Security Management Server has problems connecting to the Gateway (the Gateway is unavailable for receiving communication, as in behind NAT).

Pending

Same as above but there are verification warnings.

Warning

Warning

Information

Information

Failed

Policy not installed due to a verification error.

Failed

Policy installation failed.

You can access the Policy Installation Status window in these ways:

  • From the menu bar - Click Policy > Policy Installation Status.

  • From the toolbar - Click the Policy Installation Status icon.

  • From the status bar - Click Failed or Pending. The contents of the Policy Installation Status window are shown filtered according to the link clicked.

  • From notification balloons - Click See Details in the balloon.

Setting the Management Server IP Address Behind a 3rd Party NAT Device

When you use the Management First deployment scenario, the policy is prepared to be fetched by appliances when they are configured.

During each appliance's first time configuration, the routeable IP address of the Security Management Server is manually configured to create a first connection.

When SIC is established between the appliance and Security Management Server, the policy is fetched for the first time. Then, an automatic mechanism calculates the routeable IP address of the Security Management Server for the periodic policy fetch attempts. However, if the Security Management Server is located behind a 3rd party NAT device, the automatic mechanism fails.

In such cases, you can manually determine the routeable IP address of the Security Management Server, not only for the first connection. You can request that the appliance always attempt a connection with a manually configured IP address. You can configure this from the First Time Configuration Wizard - Security Management Server Connection page (select Always use this IP address and enter the IP address) or from the WebUI Home > Security Management page.