With regards to time based rules keep in mind that these rules will not drop an existing connection when the time expires it will only block new connections. The only way to drop existing connections is to automate policy install with connection rematch enabled.
Just as info :) You can kill an exciting connection with a sam rule aswell. But that’s for fast response during like an attack as a sam rule don’t need a policy push.
@@MagnusHolmberg-NetSec you can also delete the time connections by creating a script activated by a cronjob using: fw tab -t connections -x but this is quite advanced and should only be done if you know what you are doing.
I learned that since R80 Check Point doesn’t exactly read the rule base top down rather to be more accurate it’s column based. It looks if there’s any rule matches the source address then makes a list of what it found then moves to the destination column and looks for matches and makes another list... etc,etc.. moving from one column to the other until it finds the matching rule.
Yes the rules are processed in the background in the diff way, (starting r80.10 gateway) Yes it’s correct it’s called column based. This allows for jumping in the rulebase faster for processing. But seen from the user and how it’s applied within the rulebase it’s top down. Regards Magnus :)
Hello, Magnus. A query, please. When customers have several policy packages, and in turn, have several ClusterXL that manage it from an SMS, and ask you to create a rule, from a source to a destination, how can I know, in which policy package of all those that have, I must apply their requirements? Could you please guide me?
There is no really good way to answer this as the rulebases can be built how ever the network admin what’s to. So you as a company need to set your own policy on how policy’s should be made. All depends on traffic flow. Where should rules be places. Close to source or close to destination. If there is no clear way, it’s the trail and error :) meaning ask the user to send some traffic and check in the logs where the traffic is blocked. (As all gateways will send the logs to the same place in a sms) that way you will see what firewall and policy blocked the traffic and being able to edit that specific firewall policy that is assigned to that firewall.
You need to use an object to represent the IP, if you want to represent a single IP this would be a host object. You can also do networks or ip ranges object to represent more then one IP.
Johns currently the only way to do it is to do a search in the logs for xlate and do like an export to excel and try to figure it out (complicated). For r81 (currently EA) there is NAT hit count, it will also be possible to use dynamic objects within the NAT rules. community.checkpoint.com/t5/Product-Announcements/R81-EA-Program-Production/ba-p/86945
How the gateway identify users for source filtering in policies? they are just a bunch of IP packets? there is no LDAP user information in IP packets !!!
you will need to connect the check point environment to the AD, then check point will read the security log and map user with ip. I would recommend to use the identity collector. supportcenter.checkpoint.com/supportcenter/portal?eventSubmit_doGoviewsolutiondetails=&solutionid=sk108235
@@MagnusHolmberg-NetSec I was suspecting that. In the end, it is all come down to the source IP address of the packets, now correlated with the user somehow through AD. Thank you for the kind and fast reply
@@alejandrorodriguez3771 yes, but the big thing is here that rules can be built on ad groups, meaning they are dynamic And mapping between user and ip goes really fast, so it’s a really cool solution that is a great help for building a zero trust network :)
awesomely described. need to see your more lectures on R80 console.
Thank you for watching and commenting!
Are you going after a CCSA cert of only refreshing your skills on R80 :) ?
I learned you can use a NFS mount to extend your storage. This solution is several times cheaper than upgrading the checkpoint hardware.
Hi Magnus, is there another way to reset hit count on a specific rule other than sk111832?
With regards to time based rules keep in mind that these rules will not drop an existing connection when the time expires it will only block new connections. The only way to drop existing connections is to automate policy install with connection rematch enabled.
PS: if possible don’t use time based rules they tend to break SecureXL connections templates
Just as info :) You can kill an exciting connection with a sam rule aswell. But that’s for fast response during like an attack as a sam rule don’t need a policy push.
@@MagnusHolmberg-NetSec you can also delete the time connections by creating a script activated by a cronjob using: fw tab -t connections -x but this is quite advanced and should only be done if you know what you are doing.
@@anonymous4298 hehe this videos are made for CCSA level :)
Don’t want to scare ppl of that just starting with advance cli commands
@@MagnusHolmberg-NetSec you might want to add this to your description and add a hashtag #CCSA it will bring more views. 🙂
I learned that since R80 Check Point doesn’t exactly read the rule base top down rather to be more accurate it’s column based. It looks if there’s any rule matches the source address then makes a list of what it found then moves to the destination column and looks for matches and makes another list... etc,etc.. moving from one column to the other until it finds the matching rule.
Yes the rules are processed in the background in the diff way, (starting r80.10 gateway)
Yes it’s correct it’s called column based. This allows for jumping in the rulebase faster for processing.
But seen from the user and how it’s applied within the rulebase it’s top down.
Regards
Magnus :)
You can check out the sk111643 for even more info.
But I would say this is not “ccsa level” :)
This forum post also explains it good
community.checkpoint.com/t5/Management/Unified-Policy-Column-based-Rule-Matching/td-p/9888
Hi , Thanks for the information, may I check how to extract firewall rules with "Hits" field?
hi, not sure if thats possible, will look it to it :)
Hello, Magnus.
A query, please. When customers have several policy packages, and in turn, have several ClusterXL that manage it from an SMS, and ask you to create a rule, from a source to a destination, how can I know, in which policy package of all those that have, I must apply their requirements? Could you please guide me?
There is no really good way to answer this as the rulebases can be built how ever the network admin what’s to.
So you as a company need to set your own policy on how policy’s should be made. All depends on traffic flow.
Where should rules be places. Close to source or close to destination.
If there is no clear way, it’s the trail and error :) meaning ask the user to send some traffic and check in the logs where the traffic is blocked. (As all gateways will send the logs to the same place in a sms) that way you will see what firewall and policy blocked the traffic and being able to edit that specific firewall policy that is assigned to that firewall.
Can i use ip-addresses for rule source or destination, instead of network object id?
You need to use an object to represent the IP, if you want to represent a single IP this would be a host object.
You can also do networks or ip ranges object to represent more then one IP.
@@MagnusHolmberg-NetSec aaah i see, thank you
How to check the NAT Policy hits ?
Johns currently the only way to do it is to do a search in the logs for xlate and do like an export to excel and try to figure it out (complicated). For r81 (currently EA) there is NAT hit count, it will also be possible to use dynamic objects within the NAT rules. community.checkpoint.com/t5/Product-Announcements/R81-EA-Program-Production/ba-p/86945
How the gateway identify users for source filtering in policies? they are just a bunch of IP packets? there is no LDAP user information in IP packets !!!
you will need to connect the check point environment to the AD, then check point will read the security log and map user with ip.
I would recommend to use the identity collector.
supportcenter.checkpoint.com/supportcenter/portal?eventSubmit_doGoviewsolutiondetails=&solutionid=sk108235
@@MagnusHolmberg-NetSec I was suspecting that. In the end, it is all come down to the source IP address of the packets, now correlated with the user somehow through AD. Thank you for the kind and fast reply
@@alejandrorodriguez3771 yes, but the big thing is here that rules can be built on ad groups, meaning they are dynamic
And mapping between user and ip goes really fast, so it’s a really cool solution that is a great help for building a zero trust network :)
long live sweden
Hehe thank you :)
keep it in English or at least in Goblin 😄
Hehe, was I not speaking in English :)?
Trash firewalls, FortiGate is much more intuitive.
Just make sure to patch your Fortigate boxes :)
Have not been a good year for them, alot of security issues.