Last updated August 29th, 2024 by Erez Tadmor
Whether you have a single domain or multi-domain Check Point firewall deployment, you chose it because its next-generation firewalls (NGFW) have a reputation for scalability, provisioning, and consistent control across physical and virtual networks.
Check Point firewalls provide security automation that supports a broad range of public cloud environments.
With this checklist, you can review your current Check Point firewall configurations as part of implementing best practices.
Security Management Server Basics
To optimize your Security Management Server, you should enable any or all of the following Management Software Blades:
- Network Policy Management: Security policy unified across various functionalities
- Endpoint Policy Management: Software Blade for end-user device security and data management when installing Endpoint Security Management Server
- Logging and Status: Monitoring security events and status across environment, like gateways, VPNs, and users, with visuals and data management functionalities
- Identity Logging: User and device data from Active Directory
- User Directory: User accounts populated by LDAP servers
- Compliance: Security settings for monitoring regulatory compliance requirements
- SmartEvent: Real-time security event management and correlation
Security Gateway
Since the Security Gateway enforces your security policies, you should review the following:
- Gateway Topology: IP addresses behind the internal interface updated manually or dynamically
- Dynamic Anti-Spoofing: Using interface topology and network routes to update valid IP address ranges automatically
- Trust State: Authentication between Check Point components
Network Objects
These represent physical, virtual, and logical components. You should configurations for the following:
- Networks: IP addresses based on network address and net mask
- Broad IP address: IP address destined for all hosts on specified network
- Network Groups: Collection of hosts, gateways, networks, or other groups that use the same firewall rules
Access Control Policies
Check Point firewalls allow you to define either simple or granular rules to protect internal networks using the following:
- Firewall rules
- NAT
- Application and URL Filtering
- Content Awareness
When looking to manage cybersecurity more efficiently, you can improve the Ordered Layers and Inline Layers of your access control firewall configurations by:
- Simplifying the Rule Base
- Using Inline Layers to create a hierarchical rather than flat Rule Base
- Reusing Ordered Layers in multiple security Policy packages
- Reusing Inline Layers in multiple Layers
- Delegating Layer ownership to different administrators
- Cleaning up a Layer’s rule sets to optimize performance
Application Control
The Application Control Software Balde allows you to create application security and identity control policies. Some best practices for implementing these security policies include:
- Blocking categories of applications including anonymizers (UltraSurf, Tor, Siphon), P2P file sharing, Spyware, Remote Admin
- Inspecting outgoing traffic wrapped by SSL/TLS to enforce policies
- Restricting each network protocol to its standard port, like FTP, SNMP, SSH, Telnet, and Syslog
You should also note that some firewalls only enforce TCP or UDP in their Application Control Rulebase.
Threat Prevention
The Threat Prevention Software Blades include:
- IPS: Application and server vulnerability detection
- Anti-bot: Distributed Denial of Service (DDoS) risk reduction
- Anti-virus: Endpoint malware detection
- SandBlast: Zero-day vulnerability and targeted attack risk reduction
When creating threat prevention rules and exceptions, you should review the various configuration types.
Mail Settings
Some best practices for setting firewall rules for blocking and allowing emails include:
- Configuring templates for replacing a malicious link or attachment with a neutralized version
- Tagging malicious emails with an X-header
- Adding a prefix to a malicious email’s subject line
- Customizing the text of the emails body identifying malicious links and attachments
- Forwarding a copy of the original malicious email to internal teams, like incident response, so they have neutralized links, attachment file names, and SMTP envelope information
Anti-Virus Settings
Some basic Anti-Virus setting to review include”
- Inspection scope for incoming files: Determining whether to review incoming files from any combination of external, DMZ, or all interfaces
- Protocols: Configuring for HTTP, FTP, and SMTP
- File types: Determining whether to focus on types known to contain malware, all file types, or specific file type families
Anti-Bot Settings
As part of protecting against hackers, the anti-bot setting offers several customizations that you can use to improve your cybersecurity:
- Blocking: Rules should include network objects to protect, actions to take, log types to send, and policy targets or gateways the firewall rule runs on
- Monitoring: Rules for monitoring bot activity without blocking traffic by identifying attacks as low, medium, or high confidence
- Exceptions: Rules that focus on detecting rather than preventing activity, such as when Windows servers already block malware.
Mobile Access
Mobile Access configurations focus on implementing authentication and authorization for remote access to internal network resources.
File Shares
Configurations for file access, including opening, reading, writing, and deleting include defining:
- Authorized locations, like host IP address or DNS name
- Endpoint security requirements
- Single sign-on (SSO)
Web applications
When using Authorized Location for Web Application access, you should review the following configurations:
- Host or DNS name for application
- Allowing access to any directory matches locations defined in Servers
- Allowing access to specific directories to restrict access to specific directories
- Using case-sensitive application paths
- Using HTTPS for SSL access to services
Optimizing Check Point Firewall Value with Tufin
With Tufin, you can more easily manage hybrid networks with vendor agnostic Unified Security Policies (USPs) for consistent firewall management and auditing.
By centralizing your firewall topology, you can use our automated workflows to eliminate network change and rule review backlogs while improving overall network security.
To see how Tufin can make managing your hybrid network easier, contact us for a demo.
Don't miss out on more Tufin blogs
Subscribe to our weekly blog digest