3.2 Configure a Default Drop/Cleanup Rule

Information

Ensure that the final rule in the rulebase explicitly drops all services, destinations, etc not specifically allowed in the previous rules. It is important that any access not explicitly allowed be explicitly dropped.

Rationale:

The Clean up rule is necessary to block all the traffic which is not allowed by earlier rules in the firewall. Ideally, Clean up rule be at the bottom in the Firewall rule base. By default an Implied Rule in Checkpoint firewall which does the same thing, but logging is not enabled for this rule.

NOTE: Nessus has not performed this check. Please review the benchmark to ensure target compliance.

Solution

Create or edit the last rule in the rulebase which is denying all traffic from any source to any destination.

See Also

https://workbench.cisecurity.org/files/2828

Item Details

Category: CONFIGURATION MANAGEMENT, SYSTEM AND COMMUNICATIONS PROTECTION

References: 800-53|CM-2, 800-53|SC-7, 800-53|SC-7(11), CSCv7|11.1, CSCv7|12.3, CSCv7|12.4

Plugin: CheckPoint

Control ID: a25a79795e57ad5a9cb88913ab9fda3fdfcb0b0c5e35079d3a2cf43b1f9dfb6b