Management of a firewall policy can be a daunting endeavor, especially if you are in a situation where you are picking up where someone else left off. This brief list is intended to help you get on the right track toward a sensible, well-organized policy that will be easy for you and any other administrators you might work with to understand.
1.) Useful Rule Titles and Comments
You would think that this should be a no-brainer, but I can’t tell you how many firewall policies I have looked at during a troubleshooting session to see either no names at all or names that would make no sense to anyone other than the person that wrote it. Don’t assume that you will be the only person to ever have to review or administer your policy. Rule comments are even more useful, since you can use far more characters in this field. If you have a ticketing system that is associated with change control, put ticket numbers here along with a brief, helpful description of the purpose of the rule. Write something that you’d want to read if you were troubleshooting the policy with no prior knowledge of it.
2.) Sensible Rule Sections
This especially applies to larger policies. You will want to divide your firewall policy into sections based on the type of access, whether it is management access, outbound, inbound, or anything else including VPN rules and temporary rules. There’s nothing worse than trying to hunt down a particular rule in a 500+ rule policy and having no idea where to start looking. It will also assist with being able to quickly identify the best place for a new rule when it is being written.
3.) Use Stealth and Cleanup rules
A stealth rule is a rule that should be located as early in your policy as possible, typically immediately after any management rules. The purpose of this is to drop any traffic destined for the firewall that is not otherwise explicitly allowed. You normally don’t want anyone on the internet to be able to directly interact with your firewall in any way outside of VPN client access and a few other special cases. A cleanup rule is simply a rule at the end of your policy to drop any traffic that is not explicitly allowed. Ideally, both your stealth and especially your cleanup rule should be set to log for troubleshooting purposes. If there are especially chatty services that are quickly filling up your logs, you can create additional drop rules above the stealth rule to drop them without logging them.
4.) Use Database Revisions
Database revisions are your best friend, but they are often forgotten. If you are doing anything that could be considered a major change, you will absolutely want to create a fresh database revision before beginning. A good example of this would be deleting unused rules or any changes such as staging an IP cutover or deleting old VPN communities. On the other hand, there is an option in the policy installation dialogue to automatically create a database revision every time that policy is installed. If your organization’s policy does not require this, it may fill up disk space faster than expected and cause issues down the road during upgrades. Additionally, we recommend doing a full policy export via command line before doing any IPS updates rather than doing a database revision.
5.) Take Advantage of Rule Hit Counts
If both your firewall(s) and management server are at least Check Point version R75.40, ensure that the hit count function is turned on. It is customizable as to how long of a period you want the counter to show, and it is invaluable for identifying and disabling or removing unused rules. This is another technique that is extremely useful for keeping larger policies down to a more manageable size. If you have rules that haven’t had hits in 3-6 months, disable them and move them to a section of the policy that you have designated so that they can subsequently be removed.
These items are not intended to be an exhaustive list, but hopefully they will prove useful in your journey toward mastery of Check Point firewall administration.