Lesson 1Fundamentals of Check Point access control policy structure (Top-down rule processing, rule hit counts)Understand de logical structure of Check Point access control policies, including ordered rule evaluation, inline layers, hit counts, and how rule placement affect security, troubleshooting, and long-term rulebase maintainability.
Top-down rule evaluation behaviorInline layers and ordered layers usageUsing rule hit counts for analysisShadowed and overlapping rule detectionChange control for policy structureLesson 2Rule composition: Source, Destination, Service/Port, Action, Track, Install On — detailed examplesExplore each rule component in detail, including Source, Destination, Service, Action, Track, and Install On, with concrete examples dat show common patterns, pitfalls, and best practices for building readable, auditable rules.
Choosing precise source definitionsDesigning accurate destinations and groupsSelecting services and custom portsAction and Track field best practicesInstall On targets and policy packagesLesson 3Rule base optimization and performance considerations: using groups, simplifying rules, and monitoring rule hitsOptimize rulebase performance by consolidating objects into groups, simplifying rules, tuning services, and using hit count data and logs to identify unused or inefficient rules, while preserving clarity and security posture.
Group networks and services logicallyConsolidate similar rules safelyTune services and application objectsUse hit counts to remove stale rulesMonitor performance and policy impactLesson 4Guest network isolation: rules and layers to enforce Internet-only access and client-to-client blockingDesign guest network isolation using dedicated layers, zones, and restrictive rules dat enforce Internet-only access, block client-to-client traffic, and prevent lateral movement into internal, DMZ, and management segments.
Define guest VLANs and zonesEnforce Internet-only egress rulesBlock client-to-client communicationPrevent access to internal networksMonitor guest usage and anomaliesLesson 5Rules for server-to-server and inter-site access (HQ_Server and BR_Server) including restricted ports and time-based constraintsLearn how to design secure server-to-server and inter-site rules between HQ and branch servers, including restricted service exposure, time-based access windows, logging, and validation techniques dat preserve availability while minimizing attack surface.
Identify HQ_Server and BR_Server assetsDefine allowed services and restricted portsImplement time-based access controlLog and monitor inter-site trafficTest and validate server access rulesLesson 6Cleanup rules, implied rules, and rulebase hygiene: placement, naming, and purposeUnderstand cleanup rules, implied rules, and rulebase hygiene practices, including rule ordering, naming conventions, documentation, and periodic reviews dat keep de policy efficient, auditable, and aligned with security standards.
Analyze implied rules and defaultsDesign explicit cleanup and drop rulesApply clear naming conventionsDocument rule purpose and ownersSchedule periodic rulebase reviewsLesson 7Designing rules for web, DNS, and mail for HQ_Office and BR_Office with least-privilege principlesDesign least-privilege rules for web, DNS, and mail traffic for HQ_Office and BR_Office, limiting access by user, network, and application, while ensuring business continuity, logging, and clear separation of outbound and inbound flows.
Identify office web, DNS, and mail flowsSeparate HQ_Office and BR_Office policiesRestrict services and destinations tightlyApply user and group-based controlsLog and review office traffic patternsLesson 8DMZ publishing: rules to allow Internet to HQ_DMZ web and mail servers with NAT and inspection considerationsLearn how to publish DMZ services securely, allowing Internet access to HQ_DMZ web and mail servers while applying NAT, HTTPS inspection, anti-bot, and IPS controls, and ensuring logging, redundancy, and minimal exposed surface.
Identify HQ_DMZ web and mail assetsConfigure static and hide NAT rulesRestrict inbound services and portsApply HTTPS inspection and IPSMonitor DMZ traffic and anomaliesLesson 9Designing role-based rule sets for HQ and Branch gateways: separation of Internet, internal, DMZ, and management accessBuild role-based rule sets for HQ and branch gateways dat clearly separate Internet, internal, DMZ, and management traffic, using layers, network objects, and naming standards to simplify delegation, auditing, and troubleshooting.
Identify roles and traffic categoriesSeparate Internet and internal rulesIsolate DMZ and management accessUse layers for role-based policiesDelegate administration by roleLesson 10Management access rules: restricting SSH/RDP/HTTPS to HQ_Mgmt, use of Secure Internal Zones and compensating controlsDesign tightly controlled management access rules for SSH, RDP, and HTTPS to HQ_Mgmt, leveraging Secure Internal Communications, management zones, jump hosts, and compensating controls such as MFA, logging, and just-in-time access.
Define HQ_Mgmt networks and hostsRestrict SSH, RDP, and HTTPS sourcesUse Secure Internal Zones and SICApply MFA and just-in-time accessLog and review admin activity
