I disable all implied rules, and code in explicitly what should be allowed. Implied rules are meant to get the firewall working with a minimum of support calls to Checkpoint, since new firewall admins wouldn't think to code those ports in, or don't know what's required, and would lose connectivity to the enforcement points the first time they push a policy without it.
There's nothing in the implied rules that can't be coded explicitly into normal rules, but there are probably (depending on your situation) many implied rules that open ports you don't need. A classic audit problem is a port scan from the internet showing Checkpoint ports responding on the internet side of your firewall, when you have no reason to have them open there (assuming you don't have to manage it from the internet interface). Code up the explicit rules you need ahead of your firewall stealth rule in the policy, and turn off all implied rules. You then have one place to view / audit the entire security policy, and you're only allowing what you need, to the management stations or other devices that are required to have access. -----Original Message----- From: Mailing list for discussion of Firewall-1 [mailto:[EMAIL PROTECTED] On Behalf Of Garner, Annette K **BETH Sent: Friday, July 07, 2006 10:58 To: [email protected] Subject: [FW-1] FIREWALL SETTING What is the normal setup for the firewall in "Accept Firewall-1 control connections". Is it better to have this enabled or disabled. I am getting audited and just want to see what is the best practice. Thanks ================================================= To set vacation, Out-Of-Office, or away messages, send an email to [EMAIL PROTECTED] in the BODY of the email add: set fw-1-mailinglist nomail ================================================= To unsubscribe from this mailing list, please see the instructions at http://www.checkpoint.com/services/mailing.html ================================================= If you have any questions on how to change your subscription options, email [EMAIL PROTECTED] ================================================= ************************************************************************* The information contained in this communication is confidential, is intended only for the use of the recipient named above, and may be legally privileged. If the reader of this message is not the intended recipient, you are hereby notified that any dissemination, distribution or copying of this communication is strictly prohibited. If you have received this communication in error, please resend this communication to the sender and delete the original message or any copy of it from your computer system. Thank you. ************************************************************************* ================================================= To set vacation, Out-Of-Office, or away messages, send an email to [EMAIL PROTECTED] in the BODY of the email add: set fw-1-mailinglist nomail ================================================= To unsubscribe from this mailing list, please see the instructions at http://www.checkpoint.com/services/mailing.html ================================================= If you have any questions on how to change your subscription options, email [EMAIL PROTECTED] =================================================
