You can define the internet for your rule, but it's similar to how the firewall figures out what IP's are allowed through anti-spoofing for your internet interface when you check "external" in your topology configuration - it's anything that's NOT your other internal or DMZ segments. If you want your "internal" networks group to only go to the internet, and not allowed into your DMZ's, you define the destination in your rule as a negated object, listing your DMZ network(s) or groups. The internet is simply NOT (internal, & DMZ groups).
Of course, that all relies on doing decent config and group coding on your groups, rules, and topology. I know nobody ever gets rushed on the initial build, defines the internal network as "10.0.0.0/8" to start, and forgets about it when you build a DMZ on 10.200.0.0/24, etc, right? You get the idea - keeping the config straight all the time makes a big difference in your ability to code stuff like this easily, and get it correct. That's a common misunderstanding I've run into on other firewalls for the DMZ servers as well. To let the DMZ servers get to the internet for patches, I've seen rules that allow the DMZ to go to "any" on 80/443, thinking that was the only way to allow internet access, which then allows the DMZ servers to connect to the internal network ranges as well, and destroys the security of the DMZ being separated from spreading attacks to the inside. Usually if the admin really doesn't know what they're doing, after the auditor sees that, they add a drop rule above that one, specifying DMZ to internal for any ports, with an action of "drop". Completely unnecessary, and sloppy. Do the same thing there, by allowing DMZ servers to go to NOT (internal) as a negated destination, or NOT (internal, other DMZ's, etc) depending on your interfaces. Only one rule, and it follows the usual advice of "deny unless explicitly allowed" (which by definition, means any "drop" rules you find in the policy other than the cleanup rule are proof that you have rules that are allowing more than they should, and you're trying to prune that access with a few specific drop rules.) Does that make sense, or did I explain the concept badly? -----Original Message----- From: Mailing list for discussion of Firewall-1 [mailto:FW-1-MAILINGLIST@AMADEUS.US.CHECKPOINT.COM] On Behalf Of Clive Luk Sent: Tuesday, January 29, 2013 16:29 To: FW-1-MAILINGLIST@AMADEUS.US.CHECKPOINT.COM Subject: Re: [FW-1] CP UTM-1 R70.5 policy question thanks! what if I only want public internal to access internet on http and https but not the web servers on dmz or staff internal. I can't really define a group for internet right? So does that mean I need to have a bunch of drop rules setting at the very beginning? Thanks! On 30/01/13 01:13, Independent IT Consultant wrote: > Indirectly, you can accomplish this. Create a group with the relevant > wireless nets, then define a single rule as follows: > > Source: {wireless nets} > Destination: NOT {Internal nets} > Service: HTTP, HTTPS > Action: Allow > > > Bear in mind that you're talking about fundamental differences in > architecture between Juniper (and Cisco, for that matter) and Check Point. > Juniper and Cisco use interface-centric ACLs, whereas Check Point is > an object-oriented firewall. > > > > On Tue, Jan 29, 2013 at 1:09 AM, Clive Luk <cl...@sl.nsw.gov.au> wrote: > >> Hi all, >> >> I am just wondering if I can define a policy restricted by zone. As I >> can see on the CP tracker there is inzone, outzone. >> >> I have UTM-1 with multiple interfaces. >> >> 1 x Internet >> 1 x DMZ >> 1 x Staff internal >> 1 x Wireless >> 1 x Public internal >> >> I am wondering if I can have a policy define to allow all wireless to >> access internet and DMZ via http and https but not to other interface. >> >> I have seen a juniper firewall can define policy base on zone. >> >> >> Cheers, >> Clive >> >> Email secured by Check Point >> >> ==============================**=================== >> To set vacation, Out-Of-Office, or away messages, send an email to >> lists...@amadeus.us.**checkpoint.com<lists...@amadeus.us.checkpoint.c >> om> >> in the BODY of the email add: >> set fw-1-mailinglist nomail >> ==============================**=================== >> To unsubscribe from this mailing list, please see the instructions at >> http://www.checkpoint.com/**services/mailing.html<http://www.checkpoi >> nt.com/services/mailing.html> >> ==============================**=================== >> If you have any questions on how to change your subscription options, >> email fw-1-ow...@ts.checkpoint.com >> ==============================**=================== >> >> Email secured by Check Point >> > > ================================================= > To set vacation, Out-Of-Office, or away messages, send an email to > lists...@amadeus.us.checkpoint.com > in the BODY of the email add: > set fw-1-mailinglist nomail > ================================================= > To unsubscribe from this mailing list, please see the instructions at > http://www.checkpoint.com/services/mailing.html > ================================================= > If you have any questions on how to change your subscription options, > email fw-1-ow...@ts.checkpoint.com > ================================================= > > Email secured by Check Point ================================================= To set vacation, Out-Of-Office, or away messages, send an email to lists...@amadeus.us.checkpoint.com in the BODY of the email add: set fw-1-mailinglist nomail ================================================= To unsubscribe from this mailing list, please see the instructions at http://www.checkpoint.com/services/mailing.html ================================================= If you have any questions on how to change your subscription options, email fw-1-ow...@ts.checkpoint.com ================================================= *************************************************************************** The information contained in this communication is confidential, is intended only for the use of the recipient named above, and may be legally privileged. If the reader of this message is not the intended recipient, you are hereby notified that any dissemination, distribution or copying of this communication is strictly prohibited. If you have received this communication in error, please resend this communication to the sender and delete the original message or any copy of it from your computer system. Thank You. **************************************************************************** ================================================= To set vacation, Out-Of-Office, or away messages, send an email to lists...@amadeus.us.checkpoint.com in the BODY of the email add: set fw-1-mailinglist nomail ================================================= To unsubscribe from this mailing list, please see the instructions at http://www.checkpoint.com/services/mailing.html ================================================= If you have any questions on how to change your subscription options, email fw-1-ow...@ts.checkpoint.com =================================================
