topic Re: prevent access policy change in Spark Firewall (SMB)

prevent access policy change

Leonid_German — Wed, 30 Dec 2020 08:45:59 GMT

Hello,
I am looking for some option to prevent local admin to create rules "on top" of SMP auto -generated rules.
Even if the firewall access policy and URL/App filtering policy configured "manage in SMP" -local admin can still add manual rule with "any-any accept" on topof those rules .
In this case all block rule for "undesired applications " are ineffective.

Any ideas?

Thank you.

Re: prevent access policy change

HristoGrigorov — Wed, 30 Dec 2020 16:08:54 GMT

Admin is supposed to be able to change policy. But you may create account with "view only" permissions.

Re: prevent access policy change

PhoneBoy — Wed, 30 Dec 2020 16:13:55 GMT

See: https://supportcenter.checkpoint.com/supportcenter/portal?eventSubmit_doGoviewsolutiondetails=&solutionid=sk118035

Note this requires recent firmware and is NOT currently supported on the 1500 series appliances.

Re: prevent access policy change

Bob_Zimmerman — Wed, 30 Dec 2020 16:21:08 GMT

So to be clear, you want to have rules which the device administrator cannot opt out of?

That's what Provider-1's global policies do. You have a "Before" section and an "After" section at the global level. These rules are imposed on the CMAs. Admins at the CMA level cannot make any rules above the "Before" rules from the global policy.

Re: prevent access policy change

PhoneBoy — Wed, 30 Dec 2020 16:50:08 GMT

It's also the kind of functionality SMP supports, just not with 1500 gateways (yet, presumably).

Re: prevent access policy change

Bob_Zimmerman — Wed, 30 Dec 2020 21:28:53 GMT

And the 1500s can be managed by a SmartCenter, so Provider-1 would work now. 😜

As an aside, does GAiA Embedded have Sofaware bits? I don't think I knew SMP could manage them. Or that SMP was still around, really.

Re: prevent access policy change

PhoneBoy — Wed, 30 Dec 2020 21:53:33 GMT

Right, but the question was about SMP.
In the Sofaware days, SMP was both a cloud-based and an on-premise management solution for Safe@/UTM-1 EDGE appliances.
It has since been expanded to manage Embedded Gaia appliances, but we no longer offer it as an on-premise solution.

Now, as to whether there are Sofaware bits in Embedded Gaia, I'd say: highly likely.
We did fully acquire Sofaware, after all. 🙂

Re: prevent access policy change

Leonid_German — Thu, 31 Dec 2020 08:35:24 GMT

Thank you all!
It seems like only Privider-1 management can support full pre and post rules.
SMP portal pre rules are not include applications/url restrictions .
I hope in the future Checkpoint will support pre rules with application control on SMP management.