This website uses cookies. By clicking Accept, you consent to the use of cookies. Click Here to learn more about how we use cookies.
Accept
Reject
ABOUT CHECKMATES & FAQ
Create a Post
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Help

Are you a member of CheckMates?

×
Sign in with your Check Point UserCenter/PartnerMap account to access more great content and get a chance to win some Apple AirPods! If you don't have an account, create one now for free!
Garrett_DirSec
Advisor
‎2022-02-10 09:49 AM

need "initial policy" specifics for R81 distributed gateway (no SIC established)

Hello --

Initial Policy on model 5800 newly re-imaged with R81 (no jumbo ...yet).

SIC has NOT been established with SmartCenter.

What should we expect with initial policy after Initial Setup Wizard completed?

Immediately after run of Wizard, we can talk to gateway Mgmt IP (192.168.1.1) via both SSH and HTTPS/443.

I know that I can establish SIC at this point, so I know there are subset of secure CP services that are accepted.

At all times, I'm assuming Initial Policy allows full outbound access originated from gateway.

If we gracefully reboot this gateway, the inbound SSH and HTTPS/443 are blocked and we must execute "fw unloadlocal".

why is this true after reboot?    

why does Initial Policy "change" from period following Wizard to following reboot?  This weird.

The Administrator Guide does NOT delve into specifics on this.   Initial-Policy-R81.

I did find the discussed on following thread interesting Initial Policy after Firmware Upgrade.

thanks -GA

 

0 Kudos
1 Reply
Bob_Zimmerman
Advisor
‎2022-02-10 11:27 AM

After the first-time wizard, you should get InitialPolicy. That one allows management services.

After a reboot, you probably get defaultPolicy instead. That one drops everything. You can check this with 'fw stat' before the 'fw unloadlocal'.

Labels