Configuring the Check Point Firewall policy for the first time using the Check Point SmartConsole built in API interface
In this video you can watch the default Check Point Policy Package, named Standard, being configured with a new set of rules. Before that is done new objects must be created. The objects will be used in the rules and they represent the internal networks/subnets and hosts that will be explicitly allowed access through the firewall.
The rules should be easy to read and self-explanatory. The API commands should also be easy to interpret.
The API commands used during this demonstration were: add host name A-GUI ip-address 10.1.1.201 color brown add host name A-LDAP ip-address 192.168.11.101 color "violet red" add host name A-DMZ ip-address 192.168.12.101 color orange add network name "A-MGMT-NET" subnet "10.1.1.0" subnet-mask "255.255.255.0" color brown add network name "A-INT-NET" subnet "192.168.11.0" subnet-mask "255.255.255.0" color "violet red" add network name "A-DMZ-NET" subnet "192.168.12.0" subnet-mask "255.255.255.0" color orange
add-group name Alpha-Net members.1 A-MGMT-NET members.2 A-INT-NET members.3 A-DMZ-NET
set access-rule layer "Network" name "Cleanup rule" track "Log" install-on A-GW-Cluster add access-rule layer "Network" position 1 name "LDAP" source.1 Alpha-Net destination.1 "A-LDAP" service.1 "ldap" service.2 "ldap-ssl" action "Accept" track "Log" install-on A-GW-Cluster add access-rule layer "Network" position 1 name "Outgoing" source.1 "A-INT-NET" source.2 "A-MGMT-NET" service.1 "http" service.2 "https" service.3 "ftp" action "Accept" track "Log" install-on A-GW-Cluster add access-rule layer "Network" position 1 name "DMZ" destination.1 A-DMZ action "Accept" track "Log" install-on A-GW-Cluster add access-rule layer "Network" position 1 name "DNS" source.1 Alpha-Net service.1 DNS action "Accept" track "Log" install-on A-GW-Cluster add access-rule layer "Network" position 1 name "Stealth" destination.1 "A-GW-Cluster" track "Log" install-on A-GW-Cluster add access-rule layer "Network" position 1 name "Management" source.1 "A-GUI" destination.1 "A-SMS" destination.2 "A-GW-Cluster" service.1 "https" service.2 "ssh_version_2" action "Accept" track "Log" install-on A-GW-Cluster add access-rule layer "Network" position 1 name "Do Not Log" service.1 "bootp" service.2 "NBT" action "drop" install-on A-GW-Cluster
add access-section layer Network position 1 name Management add access-section layer Network position 4 name "Network Traffic" add access-section layer Network position 8 name Cleanup
Good References:
https://supportcenter.checkpoint.com/supportcenter/portal?eventSubmit_doGoviewsolutiondetails=&solutionid=sk163814
https://sc1.checkpoint.com/documents/R81/WebAdminGuides/EN/CP_R81_Installation_and_Upgrade_Guide/Front-Matter/Front-Matter-Important-Information-IUG.htm
In this video you can see new http connections between a Client and Server (Client to Server (C2S)), which is entered into the Check Point SecureXL connections table so that the web page is downloaded in the fast path, meaning that all traffic going through the firewall after the initial SYN packet is sent on the fastest path possible between the ingress and egress interfaces.
In this video the Database Revision option added into version R80.40 is used to roll back a new configuration.
The recently built policy is lost when the DB Revision rollback happens.
The objects that were also recently created are lost (effectively deleted).
Later in the video the API commands are used to quickly restore/rebuild the policy as well as the objects that the object uses.
This video displays the Check Point SecureXL software acceleration connections table adding new entries for newly establishing connections.
In this case there are only SYN packets and the connections are not established because the traffic is a SYN flood attack coming from a Kali Linux source.
hping3 -S --flood -V 203.0.113.171 -p 80