This website uses Cookies. Click Accept to agree to our website's cookie use as described in our Privacy Policy. Click Preferences to customize your cookie settings.
Accept
Reject
Preferences
ABOUT CHECKMATES CYBER SECURITY COMMUNITY & FAQ
Create a Post
Help
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

Are you a member of CheckMates?

×
Sign in with your Check Point UserCenter/PartnerMap account to access more great content and get a chance to win some Apple AirPods! If you don't have an account, create one now for free!
chauhac1
Participant
‎2021-04-06 02:01 PM

Create same rule, across multiple gateways in the same domain

Good Evening All,

I hope I have the terminology correct as I'm still new to CheckPoints.

I have a Domain, with 60 or so Firewalls.

I am trying to create an Office365 rule across the board, so far I have played around with hosts into a group and thats worked out ok... then I discovered the Updatable O365 object. 

First Question

So far my rule looks like this... but fails on the positioning part... I want to position below an existing rule, which I know is on all Firewalls in my Domain, I have tried just the position command but I want it below my Sentinel rule not at the top or bottom of my ruleset, have I totally missed something here? 

add access-rule layer "Network" source "any" destination "Office365 Services" service "Office365" action "Accept" track-settings.type "Log" vpn "any" position below "SentinelONE_allow" name "Office365 Comms" install-on "TESTFW01"

code: "generic_err_invalid_parameter_name"
message: "Unrecognized parameter [below]"

The next question(s) are... 

When I use the install-on, I think I know I will need separate lines for each firewall for the rule, however, will this tell me if it fails? Can push the same rule out to many firewalls and push at once? Is there a more efficient way of working with this, as I know we have been adding the same rule via the GUI and its taking an age to apply the rule, then to push the policy, wait, then start on the next firewall. 

Any wisdom is hugely appreciated.

0 Kudos
6 Replies
Vladimir
Champion
Champion
‎2021-04-06 03:31 PM

I suspect that the part of the problem is that the Office365Services is the part of the URLF/App Control and you are trying to use it in the Firewall layer.

As far as applying same rule across multiple gateways: it depends on the way your environment is managed:

i.e.: You can have a single rulebase for all of your gateways by including them in the Policy Installation Targets. In this case, gateway or site-specific rules have to have their target gateways or groups defined in each of those rules.

Alternatively, you can have separate policy for each gateway or group, but constract Shared Layers containing common rules.

 

PhoneBoy
Admin
Admin
‎2021-04-06 07:31 PM
In response to Vladimir

And further, unless you're on R81, you can only push one Security Policy at a time.

0 Kudos
chauhac1
Participant
‎2021-04-07 07:01 AM
In response to PhoneBoy

Is this for GLobal Rules too?

So I can add the rules manually which looks like the Global Domain from the MDS.

I can add the rule, I have most of the API commands in place for the Source Ranges, Destination (but I can add the updateable O365 here via the GUI) the Ports too.

The question is, if I add a Global Rule for O365 access, will this clash on the validation check prior to pushing if other firewalls within my Domains have the same rule? 

Also, under Global Assignments, I can see my Global Domain does not have all of my Domains, so I am assuming I would have to add the delta in place. 

0 Kudos
PhoneBoy
Admin
Admin
‎2021-04-07 08:07 AM
In response to chauhac1

You can only have one Policy Installation action going at a time per domain for all versions prior to R81.
R81 supports up to 5.

Given that Updatable Objects require R80.20+ gateways, I don't think you can add them to global rules.
Also, I don't think you'll have an issue with Policy Verification.

FYI, the 'Install-On' field can have multiple gateways listed in it.

0 Kudos
genisis__
Leader Leader
Leader
‎2021-04-07 08:16 AM
In response to PhoneBoy

What about a preset policy?  If this is MDS environment could a preset policy be used to achieve the goal?

0 Kudos
Jonas_Rosenboom
Employee
Employee
‎2021-04-09 05:00 AM

First question:

You need a '.' between `position` and `below` instead of the space. 

add access-rule layer "Network" source "any" destination "Office365 Services" service "Office365" action "Accept" track-settings.type "Log" vpn "any" position.below "SentinelONE_allow" name "Office365 Comms" install-on "TESTFW01"

 

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

View All ≫
Upcoming Events

    Sort by:
    CheckMates Events