Firewall-VPN

Policy:		Firewall-VPN
Last Modified:		Wed Oct 27 07:28:53 2004

Rulebase

Gateways

VPN

Security Rulebase

NO NAME SOURCE DESTINATION VPN SERVICE ACTION TRACK INSTALL ON TIME COMMENT

Limit Access to Gateways Rule

1 Stealth Corporate-internal-net
GW-group
Any Traffic
Any
drop
Alert
Policy Targets
Any

Stealth rule - prevent the VPN & firewall
host from being scanned or attacked

VPN Access Rules

2 Site to site VPN Any
Any
All_GwToGw
CIFS
ftp-port
http
https
smtp
accept
Log
Policy Targets
Any

Allow site to site VPN traffic

3 Remote access Mobile-vpn-user@Any
Any
RemoteAccess
CIFS
http
https
imap
accept
Log
Policy Targets
Any

Allow remote access VPN users access to
file, web, and print services

4 Clientless VPN Clientless-vpn-user@Any
Corporate-WA-proxy-server
Any Traffic
https
User Auth
Log
Policy Targets
Any

Allow clientless (SSL based) VPN access
using certificates from the VPN-1 Internal
Certificate Authority

5 Web server Customers@Any
L2TP-vpn-user@Any
Remote-1-web-server
Any Traffic
http
accept
Log
Policy Targets
Any

Allow partners using Microsoft Windows VPN
clients or customers to access Remote 1's web
server

Rules for Specific Sites

6 Outbound HTTP Remote-2-internal
Any
Any Traffic
http
Client Auth
Log
Remote-2-gw
Any

Audit all outbound user HTTP connection from
remote-2-internal using UserAuthority

7 Critical subnet Corporate-internal-net
Corporate-finance-net
Corporate-hr-net
Corporate-rnd-net
Any Traffic
Any
accept
Log
Corporate-gw
Any

Log traffic to critical subnets - only
enforce this rule on the Corporate-gw

8 Tech support Tech-Support
Remote-1-web-server
Any Traffic
http
accept
Alert
Remote-1-gw
Any

Allow technical support access to web server
- only enforce this rule on Remote-1-gw

Common Rules - All Sites

9 Terminal server Corporate-internal-terminal-server
Any
Any Traffic
Any
Session Auth
Log
Corporate-gw
Any

Audit all traffic from terminal server using
UserAuthority

10 DNS server Any
Corporate-dns-ext
Any Traffic
domain-udp
accept
None
Policy Targets
Any

Allow domain name queries to external DNS
server

11 SOAP Any
Corporate-WA-proxy-server
Any Traffic
http‑>SOAP-requests
accept
Log
Policy Targets
Any

Allow only selected SOAP methods - block all
others

12 Mail and Web
servers Any
Corporate-dmz-net
Any Traffic
http
https
smtp
accept
Log
Policy Targets
Any

Allow incoming connections to the mail and
web servers

13 SMTP Corporate-mail-server
Internal-net-group
Any Traffic
smtp
accept
Log
Policy Targets
Any

Allow outgoing SMTP connections, but don't
allow the mail server to initiate connections
to the internal networks, in case it is
compromised

14 DMZ and Internet Internal-net-group
Any
Any Traffic
Any
accept
Log
Policy Targets
Any

User access to DMZ servers and Internet

15 Clean up rule Any
Any
Any Traffic
Any
drop
Log
Policy Targets
Any

Clean up rule - block all other connections

NO	NAME	SOURCE	DESTINATION	VPN	SERVICE	ACTION	TRACK	INSTALL ON	TIME	COMMENT
Limit Access to Gateways Rule
1	Stealth	Corporate-internal-net	GW-group	Any Traffic	Any	drop	Alert	Policy Targets	Any	Stealth rule - prevent the VPN & firewall host from being scanned or attacked
VPN Access Rules
2	Site to site VPN	Any	Any	All_GwToGw	CIFS ftp-port http https smtp	accept	Log	Policy Targets	Any	Allow site to site VPN traffic
3	Remote access	Mobile-vpn-user@Any	Any	RemoteAccess	CIFS http https imap	accept	Log	Policy Targets	Any	Allow remote access VPN users access to file, web, and print services
4	Clientless VPN	Clientless-vpn-user@Any	Corporate-WA-proxy-server	Any Traffic	https	User Auth	Log	Policy Targets	Any	Allow clientless (SSL based) VPN access using certificates from the VPN-1 Internal Certificate Authority
5	Web server	Customers@Any L2TP-vpn-user@Any	Remote-1-web-server	Any Traffic	http	accept	Log	Policy Targets	Any	Allow partners using Microsoft Windows VPN clients or customers to access Remote 1's web server
Rules for Specific Sites
6	Outbound HTTP	Remote-2-internal	Any	Any Traffic	http	Client Auth	Log	Remote-2-gw	Any	Audit all outbound user HTTP connection from remote-2-internal using UserAuthority
7	Critical subnet	Corporate-internal-net	Corporate-finance-net Corporate-hr-net Corporate-rnd-net	Any Traffic	Any	accept	Log	Corporate-gw	Any	Log traffic to critical subnets - only enforce this rule on the Corporate-gw
8	Tech support	Tech-Support	Remote-1-web-server	Any Traffic	http	accept	Alert	Remote-1-gw	Any	Allow technical support access to web server - only enforce this rule on Remote-1-gw
Common Rules - All Sites
9	Terminal server	Corporate-internal-terminal-server	Any	Any Traffic	Any	Session Auth	Log	Corporate-gw	Any	Audit all traffic from terminal server using UserAuthority
10	DNS server	Any	Corporate-dns-ext	Any Traffic	domain-udp	accept	None	Policy Targets	Any	Allow domain name queries to external DNS server
11	SOAP	Any	Corporate-WA-proxy-server	Any Traffic	http‑>SOAP-requests	accept	Log	Policy Targets	Any	Allow only selected SOAP methods - block all others
12	Mail and Web servers	Any	Corporate-dmz-net	Any Traffic	http https smtp	accept	Log	Policy Targets	Any	Allow incoming connections to the mail and web servers
13	SMTP	Corporate-mail-server	Internal-net-group	Any Traffic	smtp	accept	Log	Policy Targets	Any	Allow outgoing SMTP connections, but don't allow the mail server to initiate connections to the internal networks, in case it is compromised
14	DMZ and Internet	Internal-net-group	Any	Any Traffic	Any	accept	Log	Policy Targets	Any	User access to DMZ servers and Internet
15	Clean up rule	Any	Any	Any Traffic	Any	drop	Log	Policy Targets	Any	Clean up rule - block all other connections

Address Translation Rulebase

NO	ORIGINAL PACKET	TRANSLATED PACKET	INSTALL ON	COMMENT
SOURCE	DESTINATION	SERVICE	SOURCE	DESTINATION	SERVICE
1 DIS- ABLED							Policy Targets
2	Corporate-WA-proxy-server	Any	Any	Corporate-WA-proxy-server (Valid Address)	Original	Original	All	Automatic rule (see the network object data).
3	Any	Corporate-WA-proxy-server (Valid Address)	Any	Original	Corporate-WA-proxy-server	Original	All	Automatic rule (see the network object data).
4	Corporate-mail-server	Any	Any	Corporate-mail-server (Valid Address)	Original	Original	All	Automatic rule (see the network object data).
5	Any	Corporate-mail-server (Valid Address)	Any	Original	Corporate-mail-server	Original	All	Automatic rule (see the network object data).
6	Remote-1-web-server	Any	Any	Remote-1-web-server (Valid Address)	Original	Original	Remote-1-gw	Automatic rule (see the network object data).
7	Any	Remote-1-web-server (Valid Address)	Any	Original	Remote-1-web-server	Original	Remote-1-gw	Automatic rule (see the network object data).
8	Corporate-dns-ext	Any	Any	Corporate-dns-ext (Hiding Address)	Original	Original	All	Automatic rule (see the network object data).
9	CP_default_Office_Mode_addresses_pool	CP_default_Office_Mode_addresses_pool	Any	Original	Original	Original	All	Automatic rule (see the network object data).
10	CP_default_Office_Mode_addresses_pool	Any	Any	CP_default_Office_Mode_addresses_pool (Hiding Address)	Original	Original	All	Automatic rule (see the network object data).
11	Corporate-finance-net	Corporate-finance-net	Any	Original	Original	Original	Corporate-gw	Automatic rule (see the network object data).
12	Corporate-finance-net	Any	Any	Corporate-finance-net (Hiding Address)	Original	Original	Corporate-gw	Automatic rule (see the network object data).
13	Corporate-hr-net	Corporate-hr-net	Any	Original	Original	Original	Corporate-gw	Automatic rule (see the network object data).
14	Corporate-hr-net	Any	Any	Corporate-hr-net (Hiding Address)	Original	Original	Corporate-gw	Automatic rule (see the network object data).
15	Corporate-internal-net	Corporate-internal-net	Any	Original	Original	Original	Corporate-gw	Automatic rule (see the network object data).
16	Corporate-internal-net	Any	Any	Corporate-internal-net (Hiding Address)	Original	Original	Corporate-gw	Automatic rule (see the network object data).
17	Corporate-rnd-net	Corporate-rnd-net	Any	Original	Original	Original	Corporate-gw	Automatic rule (see the network object data).
18	Corporate-rnd-net	Any	Any	Corporate-rnd-net (Hiding Address)	Original	Original	Corporate-gw	Automatic rule (see the network object data).
19	Remote-1-internal	Remote-1-internal	Any	Original	Original	Original	Remote-1-gw	Automatic rule (see the network object data).
20	Remote-1-internal	Any	Any	Remote-1-internal (Hiding Address)	Original	Original	Remote-1-gw	Automatic rule (see the network object data).
21	Remote-2-internal	Remote-2-internal	Any	Original	Original	Original	Remote-2-gw	Automatic rule (see the network object data).
22	Remote-2-internal	Any	Any	Remote-2-internal (Hiding Address)	Original	Original	Remote-2-gw	Automatic rule (see the network object data).
23	Remote-3-internal	Remote-3-internal	Any	Original	Original	Original	Remote-3-gw	Automatic rule (see the network object data).
24	Remote-3-internal	Any	Any	Remote-3-internal (Hiding Address)	Original	Original	Remote-3-gw	Automatic rule (see the network object data).
25	Remote-4-internal	Remote-4-internal	Any	Original	Original	Original	Remote-4-gw	Automatic rule (see the network object data).
26	Remote-4-internal	Any	Any	Remote-4-internal (Hiding Address)	Original	Original	Remote-4-gw	Automatic rule (see the network object data).
27	Remote-5-internal	Remote-5-internal	Any	Original	Original	Original	Remote-5-gw	Automatic rule (see the network object data).
28	Remote-5-internal	Any	Any	Remote-5-internal (Hiding Address)	Original	Original	Remote-5-gw	Automatic rule (see the network object data).

Desktop Security

Inbound Rules

NO SOURCE DESKTOP SERVICE ACTION TRACK COMMENT

1 Any
Mobile-vpn-user@Any
Any
Block
Log

Block incoming connections from the Internet

Inbound Rules
NO	SOURCE	DESKTOP	SERVICE	ACTION	TRACK	COMMENT
1	Any	Mobile-vpn-user@Any	Any	Block	Log	Block incoming connections from the Internet

Outbound Rules

NO DESKTOP DESTINATION SERVICE ACTION TRACK COMMENT

2 Mobile-vpn-user@Any
Any
Any
Accept
Log

Allow outgoing connections to the Internet

Outbound Rules
NO	DESKTOP	DESTINATION	SERVICE	ACTION	TRACK	COMMENT
2	Mobile-vpn-user@Any	Any	Any	Accept	Log	Allow outgoing connections to the Internet

Generated by:	CPRules 2.01
at:	Mon Oct 26 21:32:41 2009