How to Configure Firewall Rules in Check Point SmartConsole

Check Point SmartConsole provides a powerful interface for managing firewall rules and access control policies. Unlike many firewalls that allow traffic by default, Check Point requires you to explicitly define what traffic is permitted. This guide walks you through creating and managing firewall rules effectively.

Prerequisites

Before you begin, ensure you have:

• SmartConsole installed on your management workstation
• Administrator credentials with permissions to modify security policies
• Network topology documented including IP addresses, subnets, and services
• Security Gateway configured and connected to the Management Server
• Understanding of your traffic requirements (what needs to be allowed and denied)

Understanding the Access Control Policy

Check Point organizes security rules in an Access Control Policy, which you can find in the Security Policies section of SmartConsole. The policy contains:

Component	Description
Rules	Individual access control entries that define allowed or blocked traffic
Layers	Logical groupings of rules (Network, Application Control, URL Filtering)
Sections	Visual dividers to organize rules within a layer
Objects	Reusable definitions for hosts, networks, services, and groups

Step 1: Access the Rule Base

1. Open SmartConsole and connect to your Management Server
2. Navigate to Security Policies in the left navigation panel
3. Click Policy under Access Control
4. The Rule Base displays with existing rules (or a default policy for new installations)

Step 2: Create Network Objects

Before creating rules, define the objects that represent your network resources:

Creating a Host Object

1. Go to Objects menu > New > Host
2. Enter a descriptive Name (e.g., "WebServer01")
3. Enter the IPv4 Address of the host
4. Optionally add a comment describing the host's purpose
5. Click OK to save

Creating a Network Object

1. Go to Objects menu > New > Network
2. Enter a Name (e.g., "Internal_LAN")
3. Enter the Network Address (e.g., 10.0.0.0)
4. Enter the Subnet Mask (e.g., 255.255.255.0 or /24)
5. Click OK to save

Creating a Group Object

Groups allow you to combine multiple hosts or networks into a single object for easier rule management:

1. Go to Objects menu > New > Group > Simple Group
2. Enter a descriptive Name (e.g., "DMZ_Servers")
3. Click Add and select the objects to include
4. Click OK to save

Step 3: Add a New Firewall Rule

1. In the Rule Base, click one of the Add Rule icons:

   • Add Rule Above - Inserts a rule above the selected rule
   • Add Rule Below - Inserts a rule below the selected rule
   • Add Rule at Top - Inserts at the beginning of the layer
   • Add Rule at Bottom - Inserts at the end of the layer

2. A new rule appears with default values. Configure each column:

Configuring Rule Columns

Column	Configuration
No.	Automatically assigned rule number
Name	Double-click to add a descriptive name
Source	Right-click > Add, then select source objects
Destination	Right-click > Add, then select destination objects
VPN	Leave as "Any" for non-VPN traffic
Services & Applications	Right-click > Add, then select services (HTTP, HTTPS, SSH, etc.)
Action	Select Accept, Drop, or Reject
Track	Select logging options (None, Log, or detailed tracking)
Install On	Select which gateways enforce this rule

Step 4: Configure Rule Actions and Tracking

Action Options

• Accept - Allow the traffic to pass
• Drop - Silently discard the traffic
• Reject - Drop traffic and send ICMP unreachable to source
• User Auth - Require user authentication before allowing access
• Client Auth - Require client authentication

Track Options

• None - Do not generate logs (use sparingly for high-volume traffic)
• Log - Record connection details including source, destination, and ports
• Account - Log with additional accounting information
• Alert - Generate an alert notification in addition to logging

Step 5: Implement Best Practice Rules

Stealth Rule (Highly Recommended)

Protect your firewall management interface from unauthorized access:

1. Add a rule near the top of your policy
2. Configure:
   • Name: "Stealth Rule - Block Direct Firewall Access"
   • Source: Any
   • Destination: [Your Security Gateway objects]
   • Services: Any
   • Action: Drop
   • Track: Log

Management Access Rule

Allow legitimate management traffic before the stealth rule:

1. Add a rule above the stealth rule
2. Configure:
   • Name: "Allow Management Access"
   • Source: [Management workstations/network]
   • Destination: [Security Gateway and Management Server]
   • Services: CPMI (18190), HTTPS (443), SSH
   • Action: Accept
   • Track: Log

Cleanup Rule

Create an explicit cleanup rule at the bottom:

1. Add a rule at the bottom of your policy
2. Configure:
   • Name: "Cleanup Rule - Drop All"
   • Source: Any
   • Destination: Any
   • Services: Any
   • Action: Drop
   • Track: Log

Step 6: Add Services and Applications

To specify which protocols and applications are allowed:

1. Right-click the Services & Applications cell for your rule

2. Click Add New Items

3. Use the search box to find services:

   • Common services: HTTP, HTTPS, DNS, SSH, RDP, SMTP
   • Port-based: Search by port number
   • Applications: Search for application names (requires APCL blade)

4. Click the + icon next to items to add them

5. Click OK to save

Custom Service Definition

For non-standard ports or protocols:

1. Go to Objects menu > New > Service > TCP (or UDP/Other)
2. Enter a Name for the service
3. Specify the Port or port range
4. Click OK to save

Step 7: Organize Rules with Sections

Sections help visually organize large rule bases:

1. Right-click between rules where you want a section header
2. Select Add Section Title
3. Enter a descriptive name (e.g., "DMZ Access Rules", "VPN Rules")
4. Drag and drop rules into appropriate sections

Step 8: Publish and Install Policy

After making changes, you must publish and install the policy:

Publish Changes

1. Click the Publish button in the top toolbar
2. Add a description of your changes (for audit trail)
3. Click Publish

Install Policy

1. Click Install Policy in the top toolbar
2. Select the policy to install
3. Select the target Security Gateways
4. Click Install
5. Monitor the installation progress in the Tasks panel

Important: Rules are not enforced until you both publish and install the policy.

Troubleshooting Common Issues

Rule Not Matching Expected Traffic

Symptoms: Traffic is being dropped or allowed unexpectedly.

Solutions:

1. Check rule order - more specific rules should be above general rules
2. Verify object definitions contain correct IP addresses
3. Use Policy Analysis in SmartConsole to trace packet paths
4. Check the Track column to ensure logging is enabled
5. Review logs in the Logs & Monitor view to see which rule matched

Policy Installation Fails

Symptoms: Error message during policy install.

Solutions:

1. Check connectivity between Management Server and Gateway
2. Verify SIC (Secure Internal Communication) is established
3. Review error details in the Tasks panel
4. Check gateway disk space and resources
5. Look for object conflicts or invalid definitions

High CPU After Policy Install

Symptoms: Gateway performance degrades after policy installation.

Solutions:

1. Review rules for overly broad logging (avoid logging high-volume traffic)
2. Check for rules with "Any" in multiple columns
3. Consider using layers to optimize rule matching
4. Review IPS and application control settings if enabled

Best Practices Summary

Practice	Description
Rule Naming	Use descriptive names that explain the rule's purpose
Documentation	Add comments to complex rules explaining the business requirement
Minimal Access	Grant only the access required (principle of least privilege)
Stealth Rule	Always implement a stealth rule to hide the firewall
Cleanup Rule	Explicitly define a cleanup rule with logging
Regular Review	Audit rules periodically and remove unused entries
Test Changes	Test policy changes in a lab environment when possible
Change Management	Document all changes with business justification

Next Steps

After configuring basic firewall rules:

1. Enable Threat Prevention - Add IPS, Anti-Bot, and Anti-Virus protection
2. Configure NAT - Set up network address translation for outbound traffic
3. Implement Application Control - Control access by application, not just port
4. Set Up Logging - Configure log forwarding to a SIEM or log server
5. Create Backup - Export your policy configuration for disaster recovery

Additional Resources

• Check Point SmartConsole R81 Documentation
• Access Control Best Practices
• Check Point CheckMates Community

---

Need help securing your network with Check Point? Inventive HQ provides expert Check Point firewall implementation, policy optimization, and managed security services. Contact us for a free consultation.