This website uses Cookies. Click Accept to agree to our website's cookie use as described in our Privacy Policy. Click Preferences to customize your cookie settings.
Accept
Reject
Preferences
ABOUT CHECKMATES CYBER SECURITY COMMUNITY & FAQ
Create a Post
Help
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

Are you a member of CheckMates?

×
Sign in with your Check Point UserCenter/PartnerMap account to access more great content and get a chance to win some Apple AirPods! If you don't have an account, create one now for free!
DR_74
Collaborator
‎2026-03-10 06:23 AM

Firewall Rules "templates"

Hello,

 

I would like to know if it is possible to create some sort of Firewall rules like templates.
I have several remote branches with a firewall on each site.
Most of the rules are similar on each sites . For example PC subnet can communicate with Printer subnet.

Is it possible to create some sort of template so that if I add a TCP port for the policy for rules "PC to Printers", it will change all the rules on all the remote branch firewalls. 

I do not have a MDS Management server

I was thinking of creating groups with all tHE PC subnet and all the Printers subnet (for the different sites) but this will push all the objects to all the fireewall.... Is there a better way to do? (inline layer? shared layer?)

Thank you for any good ideas

Labels
0 Kudos
7 Replies
Tal_Paz-Fridman
MVP Gold CHKP MVP Gold CHKP
MVP Gold CHKP
‎2026-03-10 06:30 AM

Please look at Ordered and Inline Layers:

https://sc1.checkpoint.com/documents/R82.10/WebAdminGuides/EN/CP_R82.10_SecurityManagement_AdminGuid...

0 Kudos
PhoneBoy
Admin
Admin
‎2026-03-10 07:24 AM

First of all, the same policy can be installed on multiple gateways.
Second, the policy itself can be constructed with “generic elements” (e.g. Zones, Dynamic Objects).
Using inline layers, you can create “templates”  for things like an Internet access policy.

0 Kudos
DR_74
Collaborator
‎2026-03-10 08:14 AM
In response to PhoneBoy

The idea woudl be to have something like this:

A singel rule that say: From "PC_Subnet" to "Printer_subnet" and the gateway woud automatically calculate the right subnet 

If on site 1: PC_subnet =1 192.168.1.0/24

If on site 2: PC_subnet =1 192.168.2.0/24

same for printers.

That way if I add a new rule with these objects all sites will be updated with the correct subnet.

0 Kudos
PhoneBoy
Admin
Admin
‎2026-03-10 01:25 PM
In response to DR_74

Zones are assigned to traffic to/from specific interfaces.
If the printer and PC subnets are on different interfaces, this will work as long as the remote sites have the same topology.

The other option is Dynamic Objects, the content of which is defined on the gateway itself using the dynamic_objects CLI command.

0 Kudos
Bob_Zimmerman
MVP Gold
MVP Gold
‎2026-03-10 02:46 PM
In response to PhoneBoy

Dynamic objects can also be used with a tool called SmartProvisioning (formerly SmartLSM; the LSM stood for Large-Scale Management). SmartLSM let you build a gateway profile which you could use in SmartDashboard with a set of dynamic objects. Within the SmartLSM tool itself, you would then define a thousand gateway objects with the values for each of the dynamic objects. It's a big deal for retailers, for example. I know a very large gas station chain had a firewall at every station managed by LSM.

SmartProvisioning changes the tool somewhat.

0 Kudos
Vincent_Bacher
MVP Silver
MVP Silver
‎2026-03-10 11:39 PM
In response to Bob_Zimmerman

In my opinion, the question here is how many locations we are talking about. If it's three or four, SmartProvisioning might not necessarily be that advantageous. However, if we're talking about 10, 20 or 100, that would be a completely different situation, and I would recommend taking a look at it.

Our colleagues in Sunnyvale have what is known as dynamic mapping, which can be useful in some use cases. Unfortunately, CP does not offer this.

and now to something completely different - CCVS, CCAS, CCTE, CCCS, CCSM elite
0 Kudos
DR_74
Collaborator
‎2026-03-11 12:34 AM
In response to Vincent_Bacher

Yes we have around 5-6 sites, we are not going to use tools that a re used for big companies

 

0 Kudos

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

View All ≫
Upcoming Events

    Sort by:
    CheckMates Events