Time
4 hours 44 minutes
Difficulty
Beginner
CEU/CPE
4

Video Transcription

00:00
Hello and welcome back to check point jump start training
00:04
in this module, we're going to get into creating a security policy.
00:10
So a security policy
00:13
we're gonna talk about what that is.
00:16
We'll also
00:17
dive into
00:19
explicit and implied rules
00:22
sections, which allow you to visually organize your rules
00:29
objects, which are used in rules as,
00:33
for instance, matching criteria. Should this rule match well on Lee, If the source
00:39
is this network object,
00:43
then we'll look at policy layers and policy types.
00:48
In our 80
00:50
there was a lot of new functionality added
00:55
then publishing and installing policy so that it is in production. It takes effect
01:00
and we'll demonstrate this.
01:03
So a security policy is
01:07
the set of
01:10
objects which
01:11
can represent hosts or networks or services or other things
01:19
settings
01:21
which can be per policy
01:23
but also global property settings which
01:27
applied everything managed by this management server
01:32
and rules rules are sort of the meat of your policy. They decide
01:38
what traffic should be permitted,
01:40
what traffic should be dropped
01:42
and to do other things such as decide whether or not we want toe have mawr inspection of this traffic.
01:53
So
01:55
your policy is built
01:57
from rules that you explicitly ad
02:01
to the policy.
02:04
So in this screenshot is a very generic example
02:08
of a policy with rules.
02:10
Rule number one
02:13
note the number column
02:15
rules air sequentially numbered from one to the last rule. And when we get to rule for something interesting is happening, I'll talk about that.
02:25
The name column is yours to set. It should be something pneumonic that explains
02:32
intuitively what the purpose of this rule is,
02:37
because when you look at logs,
02:38
a log entry will have recorded which rule number
02:46
generated that log entry. But if I see okay, so this traffic was dropped by Rule 47. That doesn't really help me very much.
02:52
We'll also include the rule name. And so if I see that Rule 47 is the no file sharing rule, okay, that makes more sense.
03:01
Then we have matching columns, source
03:06
destination VPN,
03:08
services and applications
03:12
data, and you can't see it because we haven't scrolled over to the right. There's also a time calling
03:20
and so source destination
03:23
that can consist of
03:25
post objects network objects
03:29
for source. You can also have identity based policy where we need to know
03:35
what group
03:37
is the the user that is initiating this connection. What would group are they enter? Groups? Are they a member of the accounting group? For instance?
03:46
That's
03:46
something that you see in the source column. Not really in the destination column.
03:53
The VPN column is
03:54
not intuitive.
03:57
VPN COLUMN does not decide if traffic should be encrypted
04:01
and transmitted via a site to site or remote access VPN instead.
04:09
The VPN column allows you to restrict a rule from matching
04:15
so that it can Onley match If the traffic is being sent through this specific VPN connection or
04:23
the set of VPN connections,
04:27
services and applications allow you to match well a service which is destination port and protocol
04:34
443 TCP. That's https,
04:39
and
04:40
your checkpoint deployment will come with all of the
04:44
internationally recognized services
04:47
already defined as service objects.
04:51
And then, if you have
04:54
other functionality enabled, such as licensed and enabled, such as the U R L filtering or application control features,
05:04
then you have additional
05:06
objects which can be used in services and applications such as, ah, very,
05:13
very broad risk categorization of the website that the user is attempting to access if that website
05:20
is categorized as
05:23
high risk or critical risked, and we're just not going to allow it.
05:28
Also, you can
05:30
categorize traffic by the application associated with that traffic. For instance,
05:34
Office 3 65 Twitter, Facebook and so one.
05:41
The data calm
05:42
You may not see you have tohave
05:45
one of the features that looks at data such as content awareness or data loss prevention.
05:50
In order for that column to be displayed.
05:55
The Time column, which you can't see, allows a rule to match Monday through Friday 8 a.m. to 5 p.m. Local time. That's local to the security gateway
06:04
that's evaluating the policy,
06:08
but you can also have
06:11
in the time column and object that says
06:14
this object expires
06:15
on
06:17
January 1st.
06:19
And that's a nice way to add a temporary rule, a rule that we gotta have for now. But
06:27
as of this date,
06:29
the rule should be turned off, and instead of a human administrator having to remember on that date log in turn that rule off, we can simply create a time object that specifies this expires on this date
06:44
and use that time object in the Time column of the rule. The rule will then automatically stop matching. It will be disabled
06:51
when we hit that
06:53
date and time.
06:56
Now. The action column.
06:59
When
06:59
a rule is added to your security policy, the default action that set is dropped.
07:05
There are other actions available. For instance, Rule number one.
07:10
The action of that rule has been modified to be except and well, you need at least one rule that accepts traffic or your firewall
07:18
doesn't do much
07:23
if you look down at Rule number five at the bottom, the file sharing rule
07:29
that rule says, if anyone is going out to the Internet
07:32
to a file storage and sharing application,
07:38
the action isn't except, er drop, its asked, and this is called a user check interaction.
07:46
So
07:46
this will
07:48
give
07:49
a Web page back
07:51
to the user that
07:54
is generated by the security gateway. And that Web page will have a message.
07:59
It says.
08:00
Are you sure that you want to be going to the side? It's categorized as such and such
08:05
Check this box to say yes, I'm sure and click this button
08:09
that way.
08:09
It gives the user a warning, but it's not a hard know If they have a reason,
08:16
then they can proceed.
08:18
But you know, this stuff is being locked
08:20
log so you can review logs and follow up. Well,
08:24
what were you doing at that file sharing site? Justify this?
08:30
The track calm
08:31
by default is set to none. But best practice actually says
08:35
every rule should have a tracking action of log.
08:41
And with that, if the rule has attracting action of log and that rule is matched, then a log entry is generated with information about the connection that matched the rule
08:50
that had the log tracking action.
08:54
There are other tracking actions will take a look at those. So
08:58
in most deployments,
09:01
there are some just general rules that are pretty
09:07
pretty universal.
09:07
For instance, management access rules that allow
09:11
authorized firewall administrators
09:15
to access
09:16
security gateways and security management servers. Another checkpoint infrastructure.
09:22
The ah secure shell, or https.
09:26
The stealth rule
09:28
is intended to catch all traffic directed at the security gateway itself.
09:35
So it'll have in the destination column
09:39
the security gateway object. If you have multiple security gateways,
09:43
all of their objects,
09:43
it has an action of drop
09:46
and a tracking action of log,
09:50
and that way if somebody your your security gateways air, often Internet facing their bastion hosts there directly exposed to the Internet. If somebody's port scanning your security Gateway
10:01
stealth rule will drop their traffic
10:05
and long the fact that this was happening
10:09
Critical sub net and tech support
10:11
You may, for instance, have network administrators who need access to layer three switches and routers and so on.
10:20
We can restrict access to these critical network infrastructure hosts
10:26
from, for instance, a trusted sub net or, if you're doing identity based policy, somebody in the Net Admin group
10:35
DNS. Male SMTP rules allow access to these fundamental services
10:41
whether the DNS server is internal and you want to block access to external DNS servers.
10:50
Male and Web servers are typically on a demilitarized zone. D M Z, which is
10:58
a separate
11:00
physical network
11:03
that all of the
11:05
Internet facing host all of your servers that must accept incoming connections from the Internet. And that would be, for instance, and email server
11:13
and a Web server.
11:16
Those servers are isolated physically on a demilitarized zone network,
11:22
and
11:22
you have security policy that
11:26
really limits what can come in and out
11:28
of that DMC network
11:31
the Internet is only allowed to connect to the SMTP port
11:35
on my SMTP server. No other port,
11:39
the Internet is Onley allowed to connect to the https port on my Web server. No other port
11:46
and best practice is
11:50
you do not allow AH host on the DMC network to initiate
11:54
a network connection to your internal trusted networks.
11:58
Because since the D M Z host or directly exposed to the Internet there, it elevated risk of compromise.
12:05
That's not always possible. Sometimes you have to allow a D M Z host
12:09
who initiated connection internally.
12:11
If that's the case,
12:13
well,
12:13
least access. Allow Onley what must be allowed
12:18
and nothing else and definitely have an action of track on the rule that allows.
12:24
You'll also have, AH, rule to allow internal users out to the Internet, and you may limit the services
12:31
that they're permitted to use going out to the Internet,
12:35
for instance, you probably don't want them doing S and M P or
12:41
Windows file sharing across the Internet.
12:45
And finally, the cleanup rule
12:48
is another checkpoint. Best practice
12:52
cleanup rule should be the very last rule in your security policy.
12:58
It should always match so all of the matching columns are any
13:03
it should have an action of drop
13:05
and a tracking action of log.
13:07
The idea with the cleanup rule is
13:11
if traffic
13:11
did not match any other rule. In your policy, we evaluated all of the rules one after the other, none of them matched. We get to the cleanup rule that will match,
13:22
will drop the traffic and logged
13:24
because traffic that made it through to the cleanup rule is really unexpected traffic.
13:31
You put rules in for the traffic that you were expecting.
13:37
So the cleanup rule is showing you unexpected traffic and that could be useful for threat intelligence,
13:45
for example.
13:46
Now it's not strictly necessary
13:50
because
13:52
if no rule matches, we have a connection
13:56
that would not match any rule in your policy. So it falls off the end. Well,
14:01
waiting for it off the end is an implied drop.
14:07
Check point will drop that traffic, but it doesn't log it.
14:09
So the cleanup rule
14:11
allows you to log that traffic
14:16
sections
14:16
allow you to visually organize or break up your rules.
14:22
So here we have the first section which we've named the section security gateways access
14:30
and inside of that section
14:31
is all of the rules,
14:33
from the section to the next section
14:37
or the end of your rules.
14:39
So the first section is just rule wanted to, because there's another section before rule number three, the VPN section
14:48
and so on. So if you have 100 rules,
14:52
you have just these two sections. The first
14:54
section would be ruled wanted to, and the second sexual would be ruled three through 100.
15:01
Yeah,
15:03
triangle box at the left of the section name
15:07
allows you to collapse that section. If you click on that triangle, it turns sideways faces, right, And
15:15
all of the rules in that section are not displayed. That gives you back a little bit. Mawr screen, real estate. A little bit more vertical vertical space.
15:24
So if I'm not dealing with security Gateway access, I'm working on VPN rules. I can collapse. The security Gateway Access section
15:33
also
15:35
rules that are collapsed.
15:37
You can't accidentally modify, so that's a nice thing.
15:43
So I've said that checkpoint is a default. Deny firewall. If we don't have a rule that matches and allows traffic,
15:54
the traffic is not allowed.
15:58
However,
16:00
some things are still being allowed, for instance, connections from the management server to the security gateways to install policy
16:08
or from the security gateway to the management server to send log data.
16:12
So the answer is
16:15
in addition to the explicit rules that you see in your policy
16:19
checkpoint ads implied rules.
16:23
The's implied rules are there to allow checkpoint to function.
16:29
You cannot edit,
16:30
add or delete implied rules.
16:36
And some implied rules, specifically the ones that permit checkpoint functionality toe work,
16:41
are enabled by default. They're not displayed by default, so you don't see that these rules are there.
16:49
And most of these implied rules are first.
16:53
What that means is they go above your rule number one so they get to match before
16:59
any of your rules
17:00
and no, here we're viewing implied rules,
17:04
and
17:06
they looked a little bit different. They've got a different color background. You've got some weird objects in the source and destination columns,
17:15
but these implied rules
17:18
are put there by checkpoint to permit checkpoint protocols
17:23
where needed.
17:25
I said that you cannot add, delete or edit implied rules.
17:30
You can turn them on and off
17:33
in
17:33
global properties, and we'll look at global properties later
17:40
objects
17:41
allow you to
17:42
have a rule that conditionally matches instead of matching all the time.
17:48
You never rule that matches on Lee. If the service is this
17:52
so the most common types of objects that you'll be working with our network objects, such as a host or sub net or a range of I P addresses
18:02
and service objects.
18:04
Https SMTP.
18:07
And if you have the URL filtering or application control or other access control blades enabled,
18:15
then you may have
18:17
you are l filtering categories or application objects available as well.
18:25
I mentioned timed objects
18:27
and user check interactions, which, which is where you can present a Web page
18:33
to the user who is trying to connect somewhere and say, Are you sure
18:37
you can also present a Web page that says You can't go there?
18:41
And it's a little bit more user friendly than a drop action because of drop action? The connection times out
18:48
with the user check interaction that says no. Well,
18:52
they get a Web page that maybe explains why
18:56
so objects could be managed multiple places in smart Consul.
19:02
In this example, we brought up the Object Explorer window, which allows us to search for objects by name by I p address by any property of the object,
19:15
and we can limit our search in the categories menu off to the left.
19:18
I'm Onley searching for network objects.
19:26
So in your security policy,
19:30
you must have access control policy Access control policy includes ire, Wal Policy and, well, firewall policy is required. It's the fundamental
19:42
packet filtering at ST full inspection components
19:47
of a security gateway
19:49
Threat prevention policy is optional, and we'll talk about what those policy types are,
19:56
So
20:00
Checkpoint allows you toe have multiple policy packages.
20:06
Policy package is in a in effect, a wrapper around your access control and threat prevention policy
20:14
that allows you
20:15
to have different policies for different groups or types of security gateways.
20:22
For instance, you might have set of security gateways that our Internet facing external
20:29
might have a different set of security gateways. That our internal compartmentalization
20:33
and 1/3 category of security gateways, which are used for VPN connections
20:40
and
20:41
the policies that each of these three types of
20:45
gateways should receive are different,
20:48
have different functions. They have different needs,
20:49
so you can create a policy package for each security gateway
20:56
or each group of security gateways
20:57
and tune the policy to the needs of that particular
21:03
class of security, Gateway
21:07
and within a policy package
21:10
you can have
21:11
multiple
21:12
policies on, and we'll look at that.
21:15
This is something that's new in our 80.
21:18
The ability for a policy package toe have, say,
21:23
three access control policy layers
21:27
and some of these layers, maybe more generally, applicability.
21:33
I have a policy layer
21:34
that actually it makes sense to use this on my internal compartmentalization gateways as well as my exterior Internet facing gateways.
21:45
So rather than reinvent the wheel and have
21:48
two copies of this policy in two different policy packages can have just one
21:55
policy. It's called a policy layer
21:57
that is shared
21:59
and then use that in both policy packages.
22:03
And if you make a change to that shared policy layer, well, that changes reflected in all of the policy packages,
22:10
which included,
22:12
We'll talk about how layers can be ordered or put in line.
22:19
So
22:21
I mentioned there's Access control and threat prevention, focusing on access control
22:27
and your access control policy. You must have at least one layer, and that layer must
22:33
be at least a firewall layer.
22:37
That's a requirements. Gotta be. First, it's gotta have firewall.
22:42
And that firewall layer implements your
22:47
packet filtering state full inspection functionality. It can implement other layer seven functionality,
22:53
but it's needed for packet filtering and state full inspection.
22:57
Must be number one,
23:00
but okay, You you have your firewall layer. That makes a preliminary decision about what traffic should be allowed. What traffic should not.
23:11
If we match a rule in this firewall layer that says drop, then we're done.
23:15
We don't need to continue looking at other layers
23:19
and again within a layer.
23:22
We checked the rules sequentially from top to bottom. Rule number one. Are you a match? If not, rule number two Are you match,
23:29
if not real Number three are you? Match your match.
23:32
What's the action? Action is dropped. Well, we're done. We're not gonna let the traffic through.
23:37
On the other hand, if the action is except
23:38
then
23:40
at this point, we're going to go ahead and allow the traffic.
23:44
There's another layer waiting to be run, so we'll start running the rules in that layer from rule number one.
23:52
So here we've got a second layer which implements application control policy
23:59
using the URL filtering and application control functionality,
24:03
which is optional.
24:04
So
24:06
first the traffic must be allowed by the firewall layer. And maybe that just had a general rule. That said of the services HTTP or https, the action is, except let it let it go.
24:21
But in our second layer, the application control policy layer, we take a more detailed look at layer seven.
24:29
So
24:30
here we look at what website are they requesting?
24:33
What's the category of that website? What's the risk factor of that website
24:40
and then making
24:41
allow or deny decision based on layer seven data?
24:45
And then the third layer, for instance, might be some sort of data awareness or AH,
24:52
or something else where if you are attempting to send out
24:56
an attachment that has payment card information or
25:00
or national identity number information,
25:03
you don't
25:04
something like a private key.
25:07
Then we can stop that in the third data control layer. And there's a couple of
25:14
features which which use that
25:18
a layer can be used in a policy package
25:21
either ordered layer one layer to layer three or in line,
25:26
and we'll take a closer look at
25:29
using a layer in line in a moment.
25:33
So if you have multiple layers that are ordered, layer one layer to layer three.
25:41
Then, as I said,
25:44
we must pass the first layer. You must match a rule whose action is, except
25:49
otherwise the traffic will not be allowed. We don't evaluate any further layers.
25:56
This example
25:56
We got down to rule number 12 and rule number 12 match the connection and its action was Except
26:02
so right now, our choice. Our decision is we're going to accept this connection. We're gonna let it through.
26:07
Then we started evaluating the next layer in this policy package. Layer number two.
26:15
We got down to rule number 10 before we had a match, a rule number 10 matched and its action was dropped.
26:21
So final answer. We're going to drop the connection.
26:26
And we never got the layer three.
26:27
So in an ordered layer, we start with rule number one. We evaluate. It doesn't match. If not, we go to rule. Number two doesn't match. We do that until we match a rule in that layer.
26:38
And again
26:40
you should have a clean up room so that cleanup rule will match. If nothing else did
26:47
then, once we've matched, we take the action. If the action is dropped or something similar, we're done.
26:53
If it's except then we continue on to the next
26:57
ordered layer
27:00
in the policy package.
27:03
Another way of including multiple layers in a policy package is to make one layer in line to another.
27:11
In this example, we have our firewall later,
27:15
and it has rule number one rule number 2345
27:19
But real number two of this firewall layer.
27:22
The action isn't except or drop.
27:26
It
27:27
is used this
27:30
layer in line and the name of the layer it's using in line is you are all filter
27:34
in the URL filter layer has two rules.
27:38
So first we have to match rule number two. So that implies that we did not match rule number one.
27:47
We evaluated Rule number two, the outer rule number two. And that's a match.
27:52
So we see the action of this rule is run this in line layer. So we bring up the U R L filter layer. We evaluate that
28:00
first rule of the U. R L filter layer,
28:04
which, since its in line is
28:07
got one, so rule 2.1
28:11
that didn't match.
28:12
So we fall through to the next rule in that in line layer to dot to,
28:18
and that matched
28:21
and it had an action of. Except
28:23
so that's going to be the decision of this layer. Now There may be other ordered layers behind this,
28:30
but as soon as we match rule number two, we were not gonna look below that for Rule three or four. We matched Rule number two,
28:38
and it's an in line layer, so we start running the rules off the in line layer.
28:45
And if we had matched 2.1 that said drop, we would be done.
28:49
We matched to dot to which says, except so provisionally, at this point, we're gonna accept and allow the connection.
28:57
But there may be another ordered layer next that
29:00
has a different decision.
29:06
Threat prevention policy.
29:08
A little bit different. Threat prevention policy
29:12
controls
29:14
the intrusion prevention system, and I bought antivirus threat emulation
29:19
features that are optional.
29:23
You can have multiple threat prevention policy layers in a policy package
29:30
again. Remember that a policy package must have an access control air because you gotta have firewall layer.
29:37
It's a requirement
29:40
it may have threat prevention layers. So, for instance, your VPN security gateways, perhaps they don't need threat prevention.
29:48
So the policy package for your VPN servers
29:52
as an include threat prevention policy.
29:56
But
29:57
if you do have threat prevention present and a policy package,
30:02
it can have one or more layers
30:08
access control policy layers there, either ordered or in line or both. You can have
30:14
ordered layers
30:15
or some of them have an in line layer,
30:18
and again we start with the first layer. Rule number one doesn't match. We do that until we find a rule in that first layer that matches. And if it's action is dropped, then we're done.
30:29
It's action is, except then we go to the next layer,
30:33
and if it's action is an in line layer will. Then we run the rules of the in line layer,
30:37
so it's very deterministic
30:40
What the order of evaluation will be in access control layers.
30:45
Threat prevention layers, on the other hand,
30:48
simultaneously apply to all of your enabled threat prevention features such as I PS
30:56
and I bought etcetera.
30:57
Traffic is matched against
31:00
all of those features in all of the layers simultaneously
31:06
is not a define herbal order for how that will be matched.
31:11
And if one layer has a verdict of don't allow this traffic
31:15
and another layer essentially simultaneously says, allow the traffic. Then we go with the safest option, the most strict option,
31:25
so we won't allow the traffic.
31:30
I mentioned Global Properties, Global Properties,
31:33
our settings that apply to all checkpoint devices managed by this management server
31:40
and the default
31:41
screen that you get when you bring up the global properties window
31:45
configures or controls the implied rules. So
31:52
here
31:52
control connections. The first option.
31:56
Those are the rules that permit checkpoint functionality.
32:00
And then there are some other
32:02
implied rules,
32:05
such as except outgoing packets originating from the gateway. And the purpose of that rule is if a security gateway wants to connect out to the Internet,
32:14
For instance, toe check for updates or download
32:16
antivirus signatures or what have you
32:20
then it's allowed.
32:22
Note. The positioning dropped down. Ah, some implied rules. You can't set their position. They're always first. But
32:31
allowing outgoing packets from a gateway
32:35
that actually you can control where it's placed first, which again puts it above your rule number one.
32:42
There's also this option before last. So that puts it above your last explicit rule, which again should be the cleanup rule.
32:52
And anything after the cleanup rule will never get to match because the cleanup rule should always match.
32:58
So we have this special case before last
33:01
put it above the cleanup rule. That way, it's blow all of your other explicit rules.
33:07
But above the cleanup role,
33:09
There is also a drop down option there last which you would not normally use because you have a clean up rule.
33:17
And at the very bottom there's a tracking option. Log implied rules. That's all or nothing. You cannot individually decide which implied rules to track.
33:29
All of them are none of them. And so if you check that box than
33:32
traffic, which is permitted by an implied rule,
33:37
will be logged.
33:39
If you don't check that box, it's not checked by default.
33:43
In traffic, which is permitted by an implied rule, is silently allowed, and there's no logging.
33:52
So
33:52
you're an administrator. You've signed into smart Consul,
33:58
and you're making changes or perhaps creating
34:00
policy.
34:04
When you are done with those changes, you must publish your policy for the management server
34:09
in effect, that updates the master database off checkpoint configuration on the management server. With your changes
34:20
and recall and an earlier module, I mentioned how you can have multiple simultaneous administrators
34:27
making changes
34:29
when an administrator makes a change to some rule or some object that becomes locked. Other administrators can't change it
34:37
until the administrator who changed it publishes their changes, at which point their changes become visible to everyone else.
34:47
We also need to remember to install our new policy.
34:52
Your changes are not in production. They're not effective on your security gateways until you install policy
35:00
and you must publish before you install policy.
35:05
However, if you click on the install policy button
35:07
and you have unpublished changes,
35:09
then it will tell you
35:12
you are required to publish your changes before installing. Click here to publish,
35:15
and it will just publish for you.
35:17
All right. Now, let's proceed with installing policy.
35:22
When you install policy, you designate the installation targets, which are the security gateways that you want this policy to be sent to.
35:31
And if you have multiple policy packages like an external Gateway policy package and internal Gateway Policy package of VPN Gateway Policy Package,
35:40
you can configure the policy package with
35:45
the set of installation targets for that policy package.
35:47
There were only installed to those security gateways, not everyone.
35:53
So when you click install policy
35:55
he currently selected installation targets. It's by default all of your security gateways. You can change that.
36:06
We'll start the process of getting this new policy policy. So any changes that have not yet been published, you have to publish first.
36:14
Then, for each installation target, the management server will construct an individualized
36:21
low level firewall policy
36:23
will transmit that firewall policy to that security gateway,
36:29
which will between packets switch from the old policy to the new policy, and it will then inform the management server
36:37
done.
36:39
The management server will keep your smart consul application up to date your the security gateways that are still processing here, the security gateways that have successfully installed policy and here the security gateways that
36:53
Putin. Because perhaps they're down right now
36:57
or there's some error.
37:02
So I'm going to demonstrate creating a policy package and
37:07
then in that policy package, enabling both
37:10
access control and ah,
37:14
threat prevention policy
37:15
and then creating rules in the policy package.
37:20
But we start
37:22
by looking at the standard policy package. So selected security policies
37:29
and
37:30
I have two tabs displayed and won the Tabas labeled standard. That's the name of the policy package
37:38
and that standard policy packages created when your management servers first initialized. It just automatically creates a standard policy package
37:49
with a access control policy that contains firewall rules
37:55
and
37:57
the firewall rule that you get has.
38:00
It's just one rule, the cleanup room.
38:04
So I've slightly modified this access control policy. You
38:08
allow
38:10
traffic from the management network out to the Internet,
38:15
but nothing else.
38:16
What I want to demonstrate is creating another policy package and
38:23
customizing that policy package.
38:25
So if I click the plus sign here, there no other policy packages to manage,
38:32
so that automatically shows me the manage policies tab. And
38:37
here we can see that there is indeed Onley one policy package standard policy package.
38:44
I want to create another policy package. I have to click here in this
38:49
oh,
38:50
manage policies and layers.
38:55
So
38:57
here I can create a new policy package and its policy package. I have the two major policy types available Access control, which includes firewall that's required
39:09
and optionally threat prevention
39:13
on a
39:14
tell it. I also want threat prevention policy.
39:20
Then,
39:21
under installation targets, I can customize which managed security gateways
39:28
should receive policy from this policy package. The default is
39:34
all security gateways, though at policy installation time, you can uninsulated specific gateways that they shouldn't be receiving this policy.
39:45
But
39:45
what's easier than uninsulated ing security gateways every time you install policy is to simply configure the policy package
39:53
for specific gateways. And I only have one gateway in this example environment.
40:00
But I'm gonna
40:01
include that.
40:04
So now
40:07
when I installed this example Policy,
40:10
it will automatically know that the only gateway that should receive it is a gateway.
40:16
Well, that's the only gateway, but we're ignoring that for now.
40:22
Another thing
40:24
under general is I can specify layers
40:30
both access control layers and threat prevention layers.
40:34
It doesn't really look like it right now, but
40:37
threat prevention does have one layer automatically. There's always at least one layer for the policy types that are selected.
40:47
So for access control policy,
40:51
I do want another layer
40:53
or application control.
40:57
There are currently no other layers available. I have to create that layer.
41:04
I'm gonna call this
41:13
AP Control. Underscore u R l f
41:17
because I want this layer to contain
41:21
application control and you are l filtering or there's sort of a bundle you can't have just one or the other, but you can do is just not use any application control objects or use any URL filtering objects.
41:35
I'm probably gonna use both.
41:37
So this layer
41:38
is
41:40
just for application control. You are l filtering policy,
41:46
and
41:47
if there are other policy packages that want to use this application, control your URL filtering layer.
41:57
I've enabled that this layer can be shared between multiple policy packages.
42:07
Another thing is
42:08
what should happen when
42:12
we run off the edge of the policy. We've. We've evaluated every rule in the policy,
42:19
and for this connection, no rule has matched.
42:22
So fall off the end of the policy.
42:25
What should the
42:29
behavior of the firewall be? When that happens, the default is we dropped the connection. If you don't have an explicit or implicit rule
42:38
to permit, then everything else is denied,
42:44
and that's appropriate for firewall policy. But for application control policy, that may not be appropriate. And so I want to change that to
42:53
well, if it doesn't match an application. Control your oral filtering rule
42:58
it already past the firewall policy that comes first
43:02
by the time we get here, just means that we didn't match anything that in an application control you are all filtering type policy.
43:10
You're usually blacklisting these air the sites that I don't want to allow.
43:17
So if I didn't match any of the rules in this policy that that
43:22
describe sites I don't want to allow,
43:24
perhaps I want to allow
43:27
again. As practices, you don't hit the implied cleanup action. You should have an explicit cleanup rule at the bottom of your policy layer
43:38
that
43:39
either accepts or or or drops the traffic and then has a tracking action.
43:45
And I'm gonna go ahead and set that up. But
43:49
still, I want the implied cleanup action for this layer to be except
43:54
a one Other setting gear available is permissions. This gets into checkpoint administrator permission profiles
44:06
so I can say that any checkpoint administrator who's currently managing policies
44:13
who is in this permission profile
44:16
group, if you will,
44:19
should be able to edit this policy
44:22
that allows for even more granular control over which checkpoint administrators can make changes to which layers
44:30
for this application control your URL filtering layer. I'm just leaving the default.
44:37
Those that are in the Super User Permission Profile, which built an administrator I'm using, is
44:45
or another permission profile
44:47
read. Write all. But you can't manage other administrators.
44:52
Both of those permission profiles. Administrators who have been assigned those profiles can edit this layer.
45:01
Having
45:05
created that layer, there's one more than I want to create
45:08
Ah, content awareness layer.
45:24
And this layer,
45:28
not surprisingly,
45:30
will contain just content awareness policy.
45:34
I also want to designate that this layer should be shared
45:39
no
45:40
necessarily need to change the implied cleanup action because I'm gonna have an explicit cleanup rule in this layer as well. But
45:49
and change it toe except
45:51
and I can also set the permission profiles that are allowed to modify this layer.
46:01
I've created this new policy or policy package, I suppose, is the old terminology.
46:08
Once it's actually been created, we're sort of waiting for my slow virtual environment here.
46:16
Then the next step is to populate this new
46:21
policy with well rules.
46:25
Now the new layer
46:29
has been created, and you can see that there's now a tab external,
46:32
for example, co underscore policy.
46:36
That tab is selected. So I'm currently looking at that policy, and you'll note that, Ah, you see the layers that I added to this policy
46:44
over under access control on the left
46:47
and the network layer, which is firewall policy, has automatically been selected.
46:53
I'm gonna dismiss the layer management window here
46:59
and
47:00
maybe populate this layer. So again,
47:02
whenever you create a layer, you get a clean up rule
47:07
automatically provided,
47:08
and the default action of that cleanup rule is to drop
47:15
in this firewall layer. That's what I want. But also, the default tracking action is set to none.
47:22
Best practices. It should be set the long
47:24
So
47:25
that's what I'll do
47:28
now This install on column by the way
47:30
it defaults to the vague term or object policy targets. And what that means is we want to install this rule
47:39
on every security gateway that we install the policy to.
47:45
You don't have to do that. If you have a rule that's really only appropriate for one of your security gateways,
47:52
then you can select that gateway, or you could have multiple gateways in the install. On column and that rule will essentially Onley be
48:01
sent to only be effective
48:05
on the security gateways that you've designated in the install on column. Now, other rules in this policy
48:12
that have the default policy targets
48:15
they will get
48:16
the other rules, but not this rule if they're not selected in install on.
48:23
So my firewall policy is very basic right now. In fact, it's not very useful because it's gonna match every connection and deny it. Drop it.
48:34
So I'm going to create
48:37
another rule above.
48:39
I will call this the demo rule
48:45
and this rule I want to match all traffic.
48:50
Oh, by the way, I'm still editing the name column. Here you can click somewhere else to finish editing or just hit the escape. Key
48:58
it in the escape Key says, I'm done editing that name field,
49:02
so
49:05
I want tohave this demo rule that allows traffic out
49:10
and also tracks.
49:17
But I can't have a demo rule that the sources any the destination in is any the services and applications is any.
49:27
The time column over
49:29
that you can't see is ah is also any because that's a rule that will always match
49:35
and
49:37
I can't have
49:38
a rule that always matches above any other rule because that means the rules below this demo rule would never get a chance to match. And that's actually an error.
49:52
The checkpoint policy installation process will evaluate the policy that you want to install for errors,
50:00
and that's an air If it sees that there's a rule that can never be matched because above it is a rule that would match in every circumstance.
50:10
But the lower rule would match
50:14
means that
50:15
the above rule would always match, and we would stop evaluating the layer. And so the lower rule
50:22
can never match. That's an error.
50:25
So I I need to distinguish
50:28
demo rule in some way, and I could just disable the cleanup rule or do something else. But instead
50:37
I'm just going to put in a couple of conditions,
50:46
both your coming from the Management network
50:51
here,
50:53
the internal Network
51:01
and in an earlier module I created this internal networks group, objects,
51:08
which contains both the internal net 192.168 that one
51:13
and another internal net 1 72 not 16 12
51:17
Oh,
51:17
I'm just going to select that.
51:22
So now if the source of the connection is either something on my management network or something on my internal networks.
51:30
Then
51:31
this first rule, the demo rule, should match.
51:35
But there's at least the possibility that there could be connections that don't match Rule number one, in which case we get down to rule number two. So this will pass that
51:45
that error check that policy installation does.
51:51
Yeah, and this is just a demo in a production environment. You would, of course, have many more rules
51:58
that have much more granularity.
52:02
Under the application control, you are all filtering layer
52:07
again.
52:08
When a layer is created, it gets a cleanup rule
52:14
here. I want the cleanup rules action to be, except
52:21
I could just select it.
52:22
And I want to track when we match the cleanup crew.
52:29
Now
52:30
recall that the tracking action here you have a couple of options under more
52:37
If I My mouse, is being a bit
52:47
and so the tracking action
52:52
still log. But I also get the option of detailed and extended locks, and I'm just going to choose extended logs.
53:00
And
53:00
really, what this does is it
53:04
creates the regular log entry, but it populates it with additional information, leaned from layer seven inspection.
53:14
So the URL application control blade here
53:17
has layer seven awareness of the http or, if you're decrypting SSL, the https requests.
53:28
What
53:29
category of website are they trying to get to?
53:32
What
53:34
application, if any, is that website associated with such as Facebook or
53:40
or in some other popular application, Twitter, LinkedIn? What have you
53:46
And if so, then the application control you are l filtering blade can contribute what it gleaned
53:54
to the log entry. And that's what this extended long does.
54:01
My cleanup rule says
54:04
anything is allowed will log that.
54:07
I wanna have some things that aren't allowed.
54:10
And these are things
54:13
that are specified
54:15
according to the application control.
54:28
The problem spelling.
54:38
Don't my,
54:40
uh,
54:43
aptly named No dangerous or bad sites rule.
54:46
I don't care about the source of the destination when I mostly focused on. Here is the
54:52
application,
54:54
though in the Service and Applications column,
54:58
I could specify
55:00
service objects,
55:01
and there are
55:04
many thousands of service objects automatically created
55:07
here. I I'm not really carrying so much about this service.
55:13
You are l filtering application controls on Lee Apple Global for a specific sub a sub category of the services http https and a couple of other protocols.
55:27
So I'm gonna limit
55:30
what's displayed here to just
55:32
you are l filtering categories. I can also limit what's displayed here to specific applications or sites.
55:42
I must start with u R L filtering
55:45
and
55:46
just select some high level
55:51
You are, oh, filtering categories
55:53
that
55:54
I want a block.
55:55
So here's a generic category the critical risk.
56:00
So this is applications websites that may bypass security or hide identity.
56:07
Is there these air known bad website?
56:12
Also, this is my default sorted alphabetically.
56:15
I'm gonna add
56:17
high risk websites.
56:22
The high risk websites air those that may cause data leak or malware infection without the user knowing.
56:30
So I suppose websites that cause malware infection with the user knowing are okay, I'm not positive here.
56:37
Uh, and then maybe a couple of other
56:40
categories
56:42
will be included,
56:52
and also perhaps of applications should be listed here
56:59
again. This is something that the
57:00
application control you are l filtering blade is contributing thes objects
57:07
and the objects for application control represent
57:12
a
57:15
company or ah website
57:17
brand. So Facebook, Google being Microsoft, Twitter and and so on and so forth,
57:25
but also represents specific applications that
57:30
use http or https to communicate. And that's most applications today because most firewalls
57:38
don't allow other services out.
57:43
So we do allow http and https out.
57:47
We'll just use that
57:49
with this application to communicate out to the Internet to do its thing.
57:55
So
57:58
just pick a couple of applications here that I want Teoh Block.
58:19
So if the outgoing connection
58:22
gets through the firewall policy, the network layer,
58:27
then we start evaluating the second layer in this policy package. The application control your L filtering layer,
58:35
and we started Rule number one. If we match any of those
58:39
applications or you are l categories in Rule number one, then we'll take the action of drop and again, best practices. The tracking should not be left at none,
58:52
instead
58:53
should set at least log.
58:57
And again, I'll make this
58:58
detailed
59:00
that have just
59:02
basic club.
59:12
No, finally content awareness.
59:17
My content awareness policy has an extra column
59:22
that
59:23
other policy layers didn't the content layer,
59:29
and again, it starts with a clean up rule, and I'm going to go ahead and ah,
59:35
that attracted action on this cleanup rule
59:38
and
59:40
except anything that hits the cleanup rule.
59:45
But I want another rule here to block specific types of content.
60:06
And in this rule, I don't care about source or destination. I'm focused on content here
60:14
when the content pol Um,
60:16
there are many different types of content
60:21
that can be selected. And for this example, I'm just going Teoh select.
60:30
Oh, maybe just private key files.
60:32
So
60:34
I have the option of which direction should I be looking at? Data going out, data coming in
60:42
and
60:43
here the default is either direction.
60:45
I'm going to change it to be just
60:51
uploading.
60:52
So
60:52
data going out is gonna be examined. Data coming in this rule will not apply to.
61:00
So if anyone tries toe ex filtration private key data
61:04
over one of the protocols services that content awareness
61:08
knows how to look at,
61:10
then we're going to block that.
61:15
We're also going to
61:17
add more detailed logging,
61:25
But
61:28
block it, you know, I don't actually want to simply dropped the connection.
61:32
Instead, I'm going to inform the user
61:40
that, uh,
61:43
here
61:44
going to inform the user that they're not allowed to do that by giving them a Web page.
61:50
So they're going to get a Web page generated on the security gateway that's
61:54
denying the connectivity
61:58
that tells them
62:00
No, you can't do that,
62:01
which is a little bit more informative than simply dropping a traffic and their browser, whatever application, eventually saying connection timed out.
62:14
And that's such a good idea that I think I will also do that in the application control layer,
62:25
though for some types of content in the action, the application you drill your URL filtering layer. I may, instead of just
62:35
denying
62:36
I may want to give the user a chance to
62:40
continue if they know what they're doing.
62:53
So I'm gonna create a questionable content rule and in here,
62:58
if you are trying to go out,
63:00
do
63:01
se,
63:02
a website that is categorized
63:09
as something that maybe you shouldn't be going to,
63:15
which has perhaps a medium risk website.
63:25
In this case, If you're going to a medium risk website, we're not going to drop your traffic.
63:31
Instead, we're going to ask you, Are you sure you want to go there?
63:46
That one
63:47
detailed logging
63:58
So now I've sort of enhanced my URL filtering application control policy layer
64:04
and
64:06
populated all three layers with some
64:10
example rules.
64:14
But actually, you know, thinking about it. I don't really want the content aware Awareness Layer to be executed. Number three in line.
64:25
So I'm gonna go ahead and modify the layer
64:29
a little bit.
64:31
This policy my
64:35
example. Oh, policy.
64:45
I'm actually going to take this shared content awareness. Layer out
64:50
of this policy as an ordered layer.
64:58
Note that this doesn't delete the layer. The layer is still out there.
65:04
It's just not used right now. In this
65:09
example co policy
65:13
under layers access control, you can see the content awareness layer is still present.
65:18
It's just not
65:19
currently being used by the example co policy layer
65:24
or a policy package.
65:27
So
65:28
here I think I'll make it in
65:30
in line layer instead of an ordered layer.
65:34
But it changed the action from, except to
65:38
content awareness.
65:41
And now rule number one.
65:44
It's action is run this sub layer that I've already defined this content awareness sub layer.
65:49
And so if we match rule number one, then we will start evaluating the in line layer
65:57
and rule 1.1, which is the first rule of the in line layer,
66:01
says If you're trying to upload a private key, we're going to block that.
66:08
Otherwise, we hit the cleanup rule in this in line layer, which says everything else is allowed.
66:15
If we didn't match Rule number one the demo rule, we would skip the entire in line layer and proceed directly to remember to clean up rule.
66:27
So now the content awareness layer is going to be evaluated
66:31
before the application control you Morrell filtering layer
66:36
in the event that we match Rule number one the demo layer in this first network layer.
66:45
Uh, so
66:46
that's an example of how action access control layers work.
66:54
Now we'll take a look at threat prevention.
67:00
So
67:00
in this policy package, I have threat prevention policy type also enabled,
67:06
and a default rule is created for threat prevention policy.
67:14
And it's not exactly the same as access control rules Note that there's no
67:19
cleanup rule provided instead the default rule I get which is not named
67:26
says,
67:28
or any protected scope and so protected scope could be, say, my internal network
67:33
or anything in the internal zone
67:38
for anything in the protected scope.
67:42
I want you to use whatever
67:45
Brett Prevention blades are enabled
67:48
on this security gateway that's
67:50
looking at this connection,
67:55
any threat prevention blade that's enabled that is appropriate for this service. For this protocol,
68:03
we're going to use the optimized
68:08
profile and I'll talk about what that is,
68:14
though, with threat prevention selected
68:17
down here under
68:18
this Ah, this left hand side, the
68:23
options have changed. Let me go back to access control and you can see at the bottom.
68:28
Uh, access tools are displayed when I'm looking at access control policy
68:33
with threat prevention. I have threat tools, and
68:36
one of the
68:40
options to examine under threat tools is profiles.
68:44
So this is threat prevention policy profiles,
68:47
which essentially just set the defaults
68:51
for whatever threat prevention,
68:57
pat threat, prevention component
69:00
or Blade.
69:02
Uh,
69:03
I've designated, so
69:06
I PS is one threat prevention component, or blade.
69:12
There is also, and I bought an eye virus threat extraction and others
69:19
by default. Three profiles are available for you to select you to use in your threat prevention policy.
69:29
Basic, optimized and strict
69:31
and basic is,
69:34
well, just I PS policy
69:39
optimized
69:40
is
69:42
all types of threat prevention that are available on the security gateway
69:48
and so is stripped the difference between optimized and strict is which protections are automatically enabled.
69:58
So with threat prevention,
70:00
you have
70:01
really three criteria that could be evaluated to decide. Should this threat prevention, protection, whatever it is,
70:12
be applied to traffic.
70:15
And so the three criteria are performance impact, severity and confidence level.
70:23
Performance impact is how much of a CPU load is this going to be on the security gateway to perform this protection
70:31
and
70:32
by default, the optimized profile says anything with a performance impact of medium or lower is eligible to be used
70:43
if it's high or critical than it's not eligible.
70:46
And second, we look at the severity rating for the protection. How bad is the threat that this protection is protecting us against?
70:59
And so for the optimized profile, it says, any threat that has a severity of medium high or critical,
71:08
medium or or higher
71:10
is eligible
71:13
and then confidence level. That's false positives. How likely is it that this protection
71:19
will
71:20
protect
71:21
on
71:25
a nine traffic on traffic that isn't actually associated with the threat that this protection is looking for?
71:33
So
71:34
with the optimized permission profile, if the confidence level is low, there's a high risk of false positives.
71:44
Then we
71:45
Onley detect the threat so they'll be a log entry generated by whatever threat prevention Blade
71:51
saying.
71:53
I saw this threat,
71:55
but
71:56
I didn't stop it.
71:58
I just logged it. I detected it
72:01
or anything where the confidence level is medium or high. Fewer false positives, the optimized
72:08
profile says. Go ahead and actively prevent
72:12
and then the strict.
72:14
The big difference with the strict protection profile is we enable any protections with a performance impact of high, medium or low
72:26
and with the severity of low, medium, high or critical,
72:30
which is not exactly all protections. There are some protections with the severity
72:36
Hello, low, but it's most of them, almost all of them.
72:42
And then again, we look at the confidence level of the protection and those protections with low confidence level. We detect Onley. We don't actually prevent
72:50
anything. With a higher confidence level, we actively prevent.
72:56
So these
72:57
profiles are pre defined.
73:00
You really can't do a whole lot with them. You can't delete them,
73:03
but you can do is clone them and then make your changes to the clone of the protection profile
73:10
and then in threat prevention policy.
73:13
You select which profile you want to be using. In this case, the default is we're going to use the optimized profile.
73:23
The threat Prevention policy Rule says.
73:27
When should we apply this threat prevention
73:30
profile? And right now,
73:33
all the time, every connection we should apply the optimized threat prevention profile.
73:45
One other thing I wanted to ah
73:48
quickly show is https inspection and other types of so called shared policies. These shared policies are global to all policy packages,
74:01
though one type of shared policy.
74:04
This
74:05
geo policy is
74:09
location based blocking,
74:14
so the location is
74:16
determined by the source i. P. Address of the connection.
74:20
Different countries have different I p address ranges assigned to them,
74:27
and there's a data base of this country has thes I p address ranges. This other country has thes other I p address ranges.
74:35
We can draw on that database to make a mapping between source I. P address of the connection and origin country,
74:45
and here in this example, I am picking on the Democratic People's Republic of Korea
74:54
a que North Korea.
74:58
If traffic
75:00
originates from
75:02
or is heading to, I can specify the direction
75:09
the
75:11
Democratic People's Republic of Korea. Then I'm going to block
75:16
that connection
75:23
by Anna Dean Row. Here we go so
75:26
you can select the direction
75:29
and the
75:30
country. And there are,
75:31
well, literally hundreds of countries out there
75:39
for this particular country.
75:42
I'm going to drop.
75:46
And again, this is a shared policy. So
75:49
this
75:50
geo protection rule, in effect, is ah, applied to all of my policy packages.
76:00
The other thing is https inspection. Https inspection policy currently is not
76:06
configurable viewable in smart Consul, you have to use the air quotes, legacy smart dashboard application
76:17
to look at or modify https inspection policy. So, in order for https inspection to even be offered here under shared policies, I have to have at least one security gateway
76:30
who's
76:31
configuration
76:33
in the security gateways object
76:35
includes https inspection. I've gone to that security gateways object
76:42
and under https inspection in that security gateways object, I've turned it on.
76:47
So once that's done,
76:49
now I can look at https inspection policy.
76:55
So https inspection policy
77:00
determines when we should decrypt the https that the TLS
77:08
so we can see the http inside of it. And when should we not?
77:13
As I said,
77:15
the inspection is accomplished using a man in the middle attack.
77:20
If we decide that we're going to inspect traffic
77:25
and this is
77:27
traffic, that is appropriate. Https traffic.
77:31
Normally your Web browser that's initiating a connection out to some HDB s website would get the websites certificate and use that
77:42
to securely arrive at a
77:45
shared secret, a
77:47
symmetric encryption key that could be used to protect the data going back and forth.
77:54
However, if the
77:56
security gateway
77:58
is instructed to inspect that traffic,
78:01
it will see that you're going out to some website www dot sight dot com.
78:06
That information is actually included as part of the TLS handshake,
78:12
and we need to inspect that so it will on the fly create a public private key pair
78:18
and the public key it will use to create a certificate that says This is for www dot sight dot com
78:27
and it will digitally sign that certificate with a certificate authority that was created on the security gateway. So this is not
78:35
the internal certificate authority that is used by sick. This is a different certificate authority,
78:44
and
78:45
the biggest issue with https inspection is
78:49
the certificate that the client receives for the remote website
78:54
is digitally signed by a certificate authority that we just created on the gateway.
79:00
Your client Web browser doesn't know that certificate authorities. So it's gonna
79:03
bro
79:04
https security warnings
79:09
to the end user Every time they go to a website that you are inspecting because the certificate they get
79:16
it says it's from that website is not properly digitally signed by trusted certificate authority.
79:24
What do you need to do as a security administrator is arranged for the certificate authority?
79:30
It's being used in https inspection to be trusted by your end user clients.
79:36
How you do that is beyond the scope of this class. If you have active directory well,
79:42
there's your clue. Active directory makes it
79:45
easier.
79:46
Having said all of that, the actual https inspection policy is pretty straightforward.
79:53
When do you want to inspect
79:55
decrypt and when do you not want to?
79:58
The default
80:00
pre defined rule, which is sort of the cleanup rule here is
80:03
do the inspection
80:06
E. I added a rule above that. The do not inspect rule that says under these circumstances don't decrypt.
80:15
So if you're going to a website that the U. R L filter
80:19
part of application control you are royal filtering
80:23
has categorized as financial services or as a health site,
80:30
do not decrypt.
80:31
And that's because privacy
80:34
now, I might also say
80:38
above that
80:39
Well, now a new rule number one always inspect if they're going to a website that is categorized as risky somehow
80:47
so that would override the fact that they're going to ah financial Services website. If it's a risky financial Web services website, there were still going to inspect,
80:57
but OK, currently, rule Number one says. For these categories, I pass
81:03
again the site that the client wants to establish. Https, too.
81:10
That site is transmitted in plain text during the TLS handshake,
81:15
and so https inspection congee get the website name without having to decrypt
81:21
and then make a decision.
81:24
Should I decrypt or not?
81:30
Down here, there's an option which is selected by default Bypass https Inspection of traffic
81:39
Do well known software updates services,
81:42
and that's a list of
81:44
destination websites that
81:47
checkpoint maintains and your fire, while your security gateway automatically fetches updates
81:54
so that would include checkpoints. Updates site for CP use,
81:59
but also things like Microsoft update site and anti virus updates site.
82:10
Don't
82:11
if I make changes to my inspection policy here in Smart Dashboard,
82:17
I can't install policy here. Really, There's ah menu option
82:25
that allows me to do a couple of things that are in the legacy. Smart Consul. But I can't really install policy now from smart Smart Dashboard because that functionality is now handled by smart Consul.
82:40
Really, all I can do is save any changes that I make
82:44
and then exit out of the smart dashboard out.
82:46
They could be back to Smart Consul, and any changes I made would now be reflected up here in the session,
82:55
as
82:56
you know, part of the number.
83:00
So I've demonstrated how to create a new policy
83:05
and populated with layers,
83:09
including
83:11
ordered layers do layer number one, then layer number two
83:15
as well as in line layers. If this rule in this layer matches, run another layer.
83:21
We also looked a little bit of threat prevention policy and how that works, how it selects which protections should be enabled,
83:30
and then some shared policies,
83:31
geo location and https inspection.
83:38
So
83:39
that's it for the demo. Thank you.
83:44
So in this module we looked at the checkpoint security policy
83:47
and rules both explicit rules that an administrator creates and maintains,
83:55
as well as the implied rules that Checkpoint maintains.
84:00
We looked a little bit it sections, which allow you toe more visually. Separate your rules
84:05
objects, which are used in your rules to decide if the rules should match or not.
84:12
And that could be objects in the action column, such as three user check interaction. Object.
84:19
We also talked about
84:21
policy packages,
84:23
policy layers and policy types. So policy packages or
84:28
just a wrapper around your policy layers that
84:31
can be installed on
84:33
a specific set of your security gateways. And we have a different policy package
84:39
with different layers included get installed on this other set of security gateways.
84:45
Then the two major types of policy.
84:47
We have access control and threat prevention.
84:51
We discussed briefly publishing and installing policy,
84:57
and we demonstrated how to create a policy package populated with rules
85:01
and so one.
85:04
So thank you for attending this module

Up Next

Check Point Jump Start

In this course brought to you by industry leader Check Point, they will cover cybersecurity threats and elements of Check Point's Security Management architecture. This course will prepare you for their exam, #156-411, at Pearson Vue.

Instructed By

Instructor Profile Image
CheckPoint
Instructor