topic Re: need &quot;initial policy&quot; specifics for R81 distributed gateway (no SIC established) in Firewall and Security Management https://community.checkpoint.com/t5/Firewall-and-Security-Management/need-quot-initial-policy-quot-specifics-for-R81-distributed/m-p/141204#M26945 <P>After the first-time wizard, you should get InitialPolicy. That one allows management services.</P> <P>After a reboot, you probably get defaultPolicy instead. That one drops everything.&nbsp;You can check this with 'fw stat' before the 'fw unloadlocal'.</P> Thu, 10 Feb 2022 19:27:02 GMT Bob_Zimmerman 2022-02-10T19:27:02Z need "initial policy" specifics for R81 distributed gateway (no SIC established) https://community.checkpoint.com/t5/Firewall-and-Security-Management/need-quot-initial-policy-quot-specifics-for-R81-distributed/m-p/141192#M26944 <P>Hello --</P><P>Initial Policy on model 5800 newly re-imaged with R81 (no jumbo ...yet).</P><P>SIC has NOT been established with SmartCenter.</P><P>What should we expect with initial policy after Initial Setup Wizard completed?</P><P>Immediately after run of Wizard, we can talk to gateway Mgmt IP (192.168.1.1) via both SSH and HTTPS/443.</P><P>I know that I can establish SIC at this point, so I know there are subset of secure CP services that are accepted.</P><P>At all times, I'm assuming Initial Policy allows full outbound access originated from gateway.</P><P>If we gracefully reboot this gateway, the inbound SSH and HTTPS/443 are blocked and we must execute "fw unloadlocal".</P><P>why is this true after reboot?&nbsp;&nbsp;&nbsp;&nbsp;</P><P>why does Initial Policy "change" from period following Wizard to following reboot?&nbsp; This weird.</P><P>The Administrator Guide does NOT delve into specifics on this.&nbsp;&nbsp; <A href="https://sc1.checkpoint.com/documents/R81/WebAdminGuides/EN/CP_R81_NextGenSecurityGateway_Guide/Topics-FWG/The-Initial-Policy.htm" target="_blank" rel="noopener">Initial-Policy-R81.</A></P><P>I did find the discussed on following thread interesting <A href="https://community.checkpoint.com/t5/Security-Gateways/Checkpoint-Security-Gateway-applies-quot-Initial-Policy-quot/td-p/115695" target="_blank" rel="noopener">Initial Policy after Firmware Upgrade.</A></P><P>thanks -GA</P><P>&nbsp;</P> Thu, 10 Feb 2022 17:50:28 GMT https://community.checkpoint.com/t5/Firewall-and-Security-Management/need-quot-initial-policy-quot-specifics-for-R81-distributed/m-p/141192#M26944 Garrett_DirSec 2022-02-10T17:50:28Z Re: need "initial policy" specifics for R81 distributed gateway (no SIC established) https://community.checkpoint.com/t5/Firewall-and-Security-Management/need-quot-initial-policy-quot-specifics-for-R81-distributed/m-p/141204#M26945 <P>After the first-time wizard, you should get InitialPolicy. That one allows management services.</P> <P>After a reboot, you probably get defaultPolicy instead. That one drops everything.&nbsp;You can check this with 'fw stat' before the 'fw unloadlocal'.</P> Thu, 10 Feb 2022 19:27:02 GMT https://community.checkpoint.com/t5/Firewall-and-Security-Management/need-quot-initial-policy-quot-specifics-for-R81-distributed/m-p/141204#M26945 Bob_Zimmerman 2022-02-10T19:27:02Z