Always wondered if it is possible to CLI create <policy>.pf files on the gateway (after all it is a text file of PF script commands) and fool the gateway into loading it as current policy 🙂 ?

Nope, that will not work.

There is another hack, changing default policy settings and then force GW to recompile it and apply instead of one installed before. On top, if you want traffic to be forwarded, IP forwarding should be enabled (it is off with default policy). i have seen that working, and I do urge you not even to try doing that 🙂 

It would appear this no longer works. 

I tried doing this using the example below and whilst I can see in the logs that the connection was using the sam the default deny for my inline layer still rejected the connection.

I assume this may be due to the action being notify. there is no accept available.

Any thoughts?

fw sam_policy add -u -t 120 -a i -l r -n "temp vc access" ip -s 10.0.92.19 -d 10.0.74.130 -p 443 -r 6

SAM rules are not meant to "accept" traffic only alert on and block.

That's what I thought also. However this old thread suggest that it is possible in an emergency. I was just wondering if it is no longer possible or is the sample I gave above just wrong?
I tried on a gateway using r81.10 Take 79

Existing mechanisms like SAM or fwaccel dos can only block traffic before the access rulebase.
Any “allow” rules configured there are still evaluated against the access policy you’ve configured.

The functionality requested here (ability to configure an access policy rule independently of central management) is on the roadmap.

I would not build any expectations on API capabilities. Gaia API are for OS parameters, not policy. And Management API needs just that, the management 🙂

Of note: it has been recommended for at least 15 years that the management server not be behind a firewall it manages. It is extremely easy to get yourself into a situation where your firewall policy doesn't let you get through it to the management server to fix a problem.

I second this notion 🙂

I can understand your intention, but for many readers of this post it sounds like you recommend design in Case B in picture attached , not sure it would be a good idea 😊

Do NOT use Case B design

That's no what he said. Of course exposing MGMT server to external access is a bad idea. It has to be in a fully secured zone. The notion is, access to it should not fully depend of FWs that MGMT server controls.

Guys, thank you for all your feedback.

I understand that there should be no firewall between firewall management and its gateways.

But what if a customer would have many gateways all over the world at different locations?
Then I would need a separate mgmt system on every site to avoid having a firewall (or any other problem) between the gateways and the management?
This sounds expensive and also difficult to administrate (object/rule duplications, etc.)?

For the vendor Barracuda this guideline is not necessary and there is no chicken/egg-issue (if you are prepared for Emergency Override).
You can configure all rules (with all functions like nat/ips) temporary also directly on each Barracuda gateway (with Emergency Override).
This means that you can connect to each gateway directly with your administrative GUI client.
After the mgmt is available again you can add the changes to the central mgmt system and sync the new configuration back to the gateways.
In my opinion this is a big advantage and the firewall adminstrators can sleep better when having such a fallback solution 😉

Would be great if Checkpoint would implement a similar solution in future (eg. with SmartConsole web client).

Then I would need a separate mgmt system on every site to avoid having a firewall (or any other problem) between the gateways and the management?

Not true. 

The Checkpoint solution is to have an Active management server and a Standby management server. If they are geographically dispersed, your International gateways should be able to reach at least one of them at all times.

Hello Tomer_Noy,

my idea was also to prepare objects and rules. My guess were DNS-based objects which I configure or change within the internal dns management in case of any problems, but dynamic objects are more flexible in some scenarios.

Of course I like a central fw management and also the vendor Barracuda uses a centralized management in normal conditions.

But in case of any big infrastructure failure (eg. blade server / vmware / SAN storage / network) there is a risk that the fw management (specially virtualized ones) cannot be used to implement additional rules to troubleshoot/fix any huge, urgent problem.
(sample: add a temporary rule for allowing internal engineers to get external technical support when the internal proxy-serverfarm which is used for Internet access is also impacted by the actual problem)

In my opinion not every failure scenario (chicken/egg) can be pre-thought and completely avoided (also think about human failures torpedoing your well-thought high-availability and disaster recovery plans).
And or course the fw-change has to be done very fast, so that the impacted customer services can be recovered as fast as possible (think of thousands of users who cannot do their job).
(the fw-change process should not impact additional still functioning services)

So I will consider to implement dynamic object-based place holder rules. Thanks for that hint.

Regards,
Chris

@wagnerch I would prefer using Management-HA in such a case. If so many enduser are affected and you're need is to have an always on firewall management you can setup these secondary mangement at another location. If the first one is failing or not available you can change any rules with the secondary with the same tools and processes like on the first.

see How to Configure Management HA