R80 SECURITY MANAGEMENT LAB

R80.10 Training
(revised: September 14, 2018)

©2018 Check Point Software Technologies Ltd. 1

 Lab

We’ve created a policy that reduces

risk for our organization and employees
and controls and educates our users
on safe Internet use.

We’ve also discussed some security

best practices.

In this lab we’ll explore ways to

optimize our policy using R80 security
management layers.

©2018 Check Point Software Technologies Ltd. 2

 Gateway IP: 192.168.103.1

External Network
IP: 192.168.103.x

VMware:
suspend
Pen Test Tool
Kali
Internal Client
Kali

IP: 192.168.103.100
Win-Victim User: root/Cpwins1!
Default Gtwy: 192.168.103.254
IP: 192.168.101.100
User: jroberts/Cpwins1! Internal Network
Default Gtwy: 192.168.101.254
DMZ Network
DNS: 192.168.102.2 IP: 192.168.101.x IP: 192.168.102.x
Management
&
Gateway

VMware: R80 VMware: VMware:

R80 suspend
Endpoint Eth0: 192.168.101.254 suspend suspend
Management Management Web Server Active Directory
Endpoint Eth1: 192.168.102.254
Ubuntu Win-DC
Eth2: 192.168.103.254
User: admin / Cpwins1!
GUI : admin / Cpwins1! Ubuntu Win-DC
EndpointServer
Default Gtwy: 192.168.103.2
IP: 192.168.101.164 DNS: 192.168.102.2 IP: 192.168.102.5 IP: 192.168.102.2
User: admin/Cpwins1! DNS: 8.8.8.8 User: admin/Cpwins1! User: Administrator /Cpwins1!
Default Gtwy: 192.168.101.254 Default Gtwy: 192.168.102.254 Domain: LAB.TEST
DNS: 8.8.8.8 Default Gtwy: 192.168.102.254
DNS: 127.0.1.1
DNS: 192.168.103.2
DNS: 8.8.8.8

©2018 Check Point Software Technologies Ltd. 3

 R80 Security Management Lab

Policy Review
At a high level our policy:
• Inbound from the Internet
̶ Blocks all (clean up rule 13)

• Outbound to the Internet

̶ Blacklists access to risky sites from the 192.168.101.0 network (rules 4 - 10)
̶ Allows all else from the 192.168.101.0 network (rule 11)
̶ Allows all from the 192.168.102.0 network (rule 12)

• Internal
̶ Allows all between the Internal zone and the DMZ (rule 11 and rule 12)

©2018 Check Point Software Technologies Ltd. 4

 R80 Security Management Lab

Policy Review
• What if we want to download EXE files from the DMZ? Does our policy
allow it?

• The Destination of Any in rule 9 will block it. This may be difficult to
see in a complex policy with multiple sections and lots of rules.

• In the rule search bar, search for EXE and only the rules matching the
search are shown with the search object highlighted.

• Click x to delete the query. Notice that you can also search by token
like Action:Drop or packet. Click ? to learn more about the search
options. Packet Mode matches rules in the same way a packet with an
IP address arriving at the gateway would.

©2018 Check Point Software Technologies Ltd. 5

 R80 Security Management Lab

Policy Review
• Our intent for rules 4 – 10 is to control access to the Internet
and not the DMZ. There are a number of ways to fix this.
• Click + in the Destination column of rule 4.
• Type internet and we see two options (add both)
̶ All Internet address range (0.0.0.0 to 255.255.255.255)

̶ Internet object (double click to open, click ? for more info)

• Notice both include traffic to the DMZ. Not what we want.

©2018 Check Point Software Technologies Ltd. 6

 R80 Security Management Lab

Policy Review

• Right click to remove both Internet objects.

• We have more options.

• Add the Net_192.168.102.0 network object to the rule 4

destination column, then right click and select Negate Cell.

• In our simple 3 legged network this works, but requires 14

steps to add to rules 4 – 10.

©2018 Check Point Software Technologies Ltd. 7

 R80 Security Management Lab

Policy Review
• Right click to remove the Net_192.168.102.0 network object
from rule 4.
• Security Zones is a nice option. Using the interface topology our
rule will match packets going to the Internet and not to the DMZ
zone.
• Add the ExternalZone object to rule 4. Then drag and drop to
add it to rules 4 -10.
• Install the policy.

©2018 Check Point Software Technologies Ltd. 8

 R80 Security Management Lab

Policy Review

• In addition to having a policy that matches our intent:

̶ our policy will be easier to apply to other R80.x gateways as a

shared layer

̶ provides better performance

• To understand this last point, press the F1 key to open the

SmartConsole online help.

©2018 Check Point Software Technologies Ltd. 9

 R80 Security Management Lab

Policy Review
Search for performance, click Best Practices for Access Control Rules.

©2018 Check Point Software Technologies Ltd. 10

 R80 Policy
Layers

©2018 Check Point Software Technologies Ltd. [Confidential] For designated groups and individuals 11
 R80 Security Management Lab

Policy Layers
One way to improve performance is to add layers to a policy.

The first connection traverses the rule base from the top to the bottom
until a match is found.

In our policy this means that packets from the DMZ traverse rules 1 – 11
first before a match is found.

Typically the DMZ includes servers accessible from the Internet such as
web servers. These may have a high hit count.

Over time we can use rule hit counts to move rules with higher hit counts
up to optimize our policy. We can also use layers; inline and ordered.

©2018 Check Point Software Technologies Ltd. 12

 R80 Security Management Lab

Inline Layer
Inline policies have a
parent rule.

Connections matching the

parent rule are then
inspected by rules in the
inline layer.

Connections that do not

match the parent rule skip
the inline layer and then
are checked against the
next rule in the policy.

©2018 Check Point Software Technologies Ltd. 13

 R80 Policy Layers
Packet Flow: Inline and Ordered Mode
Access Layer Content Layer Data Layer

Web Control Layer

Rule 5.3 Accept Rule 8: Accept

Rule 10: Accept

Inline Layer

Ordered Layers
©2018 Check Point Software Technologies Ltd. [Confidential] For designated groups and individuals 14
 R80 Security Management Lab

Inline Layer
Rules 4 – 8 can be moved to an inline layer.

• Add a rule above rule 4.

• Drag the Source and Destination objects from rule 5 to

rule 4.

• Click in the Action column and select Inline Layer -> New
Layer.

New layer

©2018 Check Point Software Technologies Ltd. 15

 R80 Security Management Lab

Inline Layer
• Name the layer Web Control

• Select only Applications & URL

Filtering for the blades.

• Enable Sharing: Multiple

policies and rules can use this
layer.

• Click Advanced and change the

Implicit Cleanup Action to
Accept.

• Click on Permissions and notice

we can restrict access to
specific profiles to limit access
to this section of the rulebase.

©2018 Check Point Software Technologies Ltd. 16

 R80 Security Management Lab

Inline Layer
• Click OK and this creates the Inline layer.

• Change the default explicit Cleanup rule 4.1 Action to Accept

and the Track to Log.

• Select rules 5 – 9. Right click in the No. column, select Copy.

Copy

©2018 Check Point Software Technologies Ltd. 17

 R80 Security Management Lab

Policy Layers
• Select rule 4.1.

• Right click in the No. column and select Paste above.

Paste above

©2018 Check Point Software Technologies Ltd. 18

 R80 Security Management Lab

Inline Layer
• This adds the rules to our inline layer. To make our layer more general remove
Net_192.168.101.0 from the Source column of rules 4.1 through 4.5. Ensure the
4.6 cleanup rule Action is Accept.

• Select rule 5 – 9, right click in the No. column, select Delete. Click OK to confirm.
Install the policy.

©2018 Check Point Software Technologies Ltd. 19

 R80 Security Management Lab

Inline Layer
• Monitor the Policy Installation by expanding tasks (lower left) and
notice that it fails to install.

• Click Details. This means rules 5 and 6 will never be matched. The
service Any in rule 4 will always be matched first.

Note: Rules 4, 5, 6 source and

destination are the same
©2018 Check Point Software Technologies Ltd. 20
 R80 Security Management Lab

Inline Layer
Lets try to solve this by creating
and inline data control layer for
rules 5 and 6 and specifying the
services that Content
Awareness matches.
• Click Close to exit the policy
install Details.
• Navigate to MANAGE &
SETTINGS -> Blades ->
Content Awareness Advanced
Settings
• Notice this blade matches ftp,
http/s, HTTP/S_proxy, and
smtp.

©2018 Check Point Software Technologies Ltd. 21

 R80 Security Management Lab

Inline Layer
• Navigate back to the security policy and add a rule above rule 4.

• Add the ftp, http, https, HTTP_proxy, HTTPS_proxy, smtp to the

Services & Applications column.

• Click in the Action column and select Inline layer -> New Layer.

©2018 Check Point Software Technologies Ltd. 22

 R80 Security Management Lab

Inline Layer
• Name the layer Data
Control.
• Enable Content
Awareness only.
• Enable Sharing:
Multiple policies and
rules can use this
layer.
• Select Advanced and
change the Implicit
Cleanup Action to
Accept.
• Click OK.

©2018 Check Point Software Technologies Ltd. 23

 R80 Security Management Lab

Inline Layer
• Instead of copying and pasting, this time drag and drop rules 6 and 7, (our content
awareness rules) to the new inline layer.

• Your policy should look like the below. Ensure the 4.3 CleanUp rule action is Accept.

• If you click in the services column of rule 4.1 you’ll notice that applications are not included.

• Install the policy.

©2018 Check Point Software Technologies Ltd. 24

 R80 Security Management Lab

Inline Layer
• Test the policy by browsing to sites that fall into the alcohol category.

• Notice these connections that were blocked before are now allowed.

• To understand why do a packet mode search of the rules for the IP

address 192.168.101.100.

Our Data Control

cleanup rule matches
and allows HTTP/S

©2018 Check Point Software Technologies Ltd. 25

 R80 Security Management Lab

Inline Layer
• Select the Data Control layer rule 4.3.

• Click the Logs tab and double click to open one of the logs.

• Click on the Matched Rules tab and notice rule 4 and 4.3 are
matched, but the Web Contol layer is not checked.

Rule 4.3 Logs

©2018 Check Point Software Technologies Ltd. 26

 R80 Security Management Lab

Ordered Layer
• To fix this we could include the content awareness rules in the Web Control layer
as before, but R77.x gateways don’t support content awareness and we’d like the
option of using the web control layer in our R77.x policies.

• When we review the packet flow in slide 14 we notice that we can use layers in
order instead of inline.

• Select rule 4. Right click in the No. column and select Delete.

• Click Yes to confirm the deletion.

Delete

©2018 Check Point Software Technologies Ltd. 27

 R80 Security Management Lab

Ordered Layer
• Right Click on Policy and select Edit policy.

• Click + and add the Data Control layer to

our Access Control policy.

• Click OK.

Click +

©2018 Check Point Software Technologies Ltd. 28

 R80 Security Management Lab

Ordered Layer
• This adds Data Control to our
Access Control policy after the
Network layer.

• Click OK.

• Notice that our 2 layers now

show in the Access Control Ordered layers
policy.

• If we wanted to we could
change the order in Edit Policy.

• Click Data Control to see the

Data Control policy.
Ordered layers
• Install the policy.

©2018 Check Point Software Technologies Ltd. 29

 R80 Security Management Lab

Ordered Layer
• Test the policy by browsing to expressvpn.com and sites that fall into the alcohol category.

• Search for putty or browse to https://www.chiark.greenend.org.uk/~sgtatham/putty/latest.html.

• Try downloading some of the files to verify our policy works as expected.

• Select the Data Control rule 1 and double click to open one of the logs.

• Notice the Matched Rules include the Web Control and the Data Control layers.

©2018 Check Point Software Technologies Ltd. 30

 R80 Security Management Lab

Ordered Layer
• Navigate to Menu -> Manage policies and layers.

• Click Layers and notice the mode of the Data Control and Web
Control layers in the Standard policy. One is inline and the
other is ordered.

• Select Policies again and click New to create a new policy.

©2018 Check Point Software Technologies Ltd. 31

 R80 Security Management Lab

Policy Layers
• Name the policy My_policy.

• Click + in Access Control and select Web Control.

• Click OK. Click Close.

©2018 Check Point Software Technologies Ltd. 32

 R80 Security Management Lab

Policy Layers
• This creates an empty network policy with a default firewall cleanup rule and Web
Control in an ordered layer.

• Click Menu -> Manage policies and layers.

• Select Layers and notice that the Web Control is used as an inline layer in
Standard and as an ordered layer in My_policy.

• Click Close and Publish to save the changes.

• We can use this ordered My_Policy to manage R77.x gateways.

©2018 Check Point Software Technologies Ltd. 33

 R80 Security Management Lab

Review Questions

1. Extra Credit: Do we need to modify the Web Control

layer to be compatible with R77.x gateways?
2. Can we delete the Net_192.168.101.0 object from
the source column in the Data Control layer?
3. Do we need to delete the ExternalZone object in the
Data Control layer to make it compatible with R77.x
gateways?

©2018 Check Point Software Technologies Ltd. 34

 ADVANCED TOPICS

©2018 Check Point Software Technologies Ltd. [Confidential] For designated groups and individuals
 Check Point Community
CheckMates Community

©2018 Check Point Software Technologies Ltd. 36

 End of Lab

©2018 Check Point Software Technologies Ltd. [Confidential] For designated groups and individuals 37