Re: Force "Install on"

Ole_Jakobsen · ‎2019-01-03

Hi,

Is it possible to force users to choose an install target in the "Install on" collum in the policy?

The purpos is to avoid that the user chooses "Policy targets"

TIA

Best regards

Ole Jakobsen

Danny · ‎2019-01-03

I second that request.

_Val_ · ‎2019-01-03

And I wonder why people want to use "install on" in the rulebase while it is much easier to stick to policy targets per package 🙂

It is a matter of opinion and practices, IMHO.

To answer the original question, with current versions, it is not possible to do

Joshua_Hatter · ‎2019-01-03

Maybe they have policy targets set, but only want a rule to be enforced on 1 of the handful of targets.

_Val_ · ‎2019-01-03

I understand that people are using it. I disagree with that being a good practice.

Joshua_Hatter · ‎2019-01-03

I think its great practice to be specific over being vague in the rule base.

To say otherwise doesn't seem logical to be honest.

As I said, both should be completed. Policy Targets per package to limit the policy, and Install-On field to limit rules within the defined targets where necessary.

_Val_ · ‎2019-01-04

Agree to disagree 🙂

Tomer_Sole · ‎2019-01-04

I would make the shared rules a shared inline layer across the multiple policies. Gateways have very specific nets and users behind them, so for the most part you would want to make very specific rules for their sources. Smaller rule sets = easier maintenance.

Check Point Compliance Blade lets you specify a Custom Best Practice where Install On cannot be Policy Targets.

Maarten_Sjouw · ‎2019-01-04

Why not the other way around, we have a customer with a lot of remote sites, they use a part the same rulebase and then we have a part that is specific for each location, you can create an inline layer per site (gateway) with the install on already forced on the main layer rule. That should fix that layer to the specific gateway as well.

Only problem at this moment is that 1400's do not support inline layers as they are still on R77.20.x

Regards, Maarten

PhoneBoy · ‎2019-01-03

I agree, the "Best Practice" here is to configure the Installation Targets in the policy to be a specific gateway only.

I run several policies in my lab and each Package is tied to a specific gateway:

When you install that policy, it will only install on the selected gateway:

I see a couple issues:

What if I choose an "Install-On" target that is not one of the Installation Targets? I presume (though I haven't tested) that the rule will simply be ignored on other gateways.
What if I want to lock a specific "Install-On" target for a specific rule even when using Installation Targets? This is what I think Joshua Hatter‌ is referring to above. It's an interesting use case, but one we don't support today.

Ole_Jakobsen · ‎2019-01-11

Thank you all for replying.

The reason for the question is in a matter of simplification of the policy. When many policy packages is involved in a single connection across many gateways it would, in this case, be easyer to have a single policy and use "Install on".

But as I can see, it all depends on the likes of the admin and local policies

Are you a member of CheckMates?

Force "Install on"