This website uses Cookies. Click Accept to agree to our website's cookie use as described in our Privacy Policy. Click Preferences to customize your cookie settings.
Accept
Reject
Preferences
ABOUT CHECKMATES CYBER SECURITY COMMUNITY & FAQ
Create a Post
Help
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

Are you a member of CheckMates?

×
Sign in with your Check Point UserCenter/PartnerMap account to access more great content and get a chance to win some Apple AirPods! If you don't have an account, create one now for free!
papparpi
Explorer
‎2024-01-30 03:38 AM

A way for local domain policies to get checked first when global rules are also configured

A way for local domain policies to get checked first when global rules are also configured


My starting point was:

"Checkpoint MDS provides the option of using Global Rules and a place holder for Domain rules."

Unfortunately, I ran into this issue that a local subnet would still get access to whatever the first half of the global policy allowed (above the local domain rules).

In other words, securing a local subnet with local domain policies can be tricky when Checkpoint global policies are assigned to domains because often a section of the global policies precedes the local rules and so, an isolated subnet will still get access to whatever the preceding global rules allow.

A possible workaround may be:
As per the documentation: "Global rules can be set above and below the placeholder."

I wonder:
If you put all your global rules below the local domain policies, can you get secure a local subnet fully?

This is the documentation pertaining to this:
"When the security gateway evaluates the rules in the local policy, if there was no match for the global rules at the top of the rulebase, it starts to evaluate the rules from the domain layer. If there was still no match for those rules, the global rules that were created below the domain layer are evaluated."

My question:
What if we do NOT put global rules at the top of the rulebase?

(Would the local rules take precedence and be checked first?)

Please see attached screenshot.

 

 

Preview file
119 KB
0 Kudos
1 Reply
PhoneBoy
Admin
Admin
‎2024-02-07 05:13 PM

You aren't required to add anything to the Global Rules. 
And yes, if you don't put anything in the global rules on the top, then your local domain rules get evaluated.

0 Kudos

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

View All ≫
Upcoming Events

    CheckMates Events