- CheckMates
- :
- Products
- :
- Quantum
- :
- Management
- :
- Force "Install on"
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark
- Subscribe
- Mute
- Printer Friendly Page
Are you a member of CheckMates?
×- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Force "Install on"
Hi,
Is it possible to force users to choose an install target in the "Install on" collum in the policy?
The purpos is to avoid that the user chooses "Policy targets"
TIA
Best regards
Ole Jakobsen
- Labels:
-
SmartConsole
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
And I wonder why people want to use "install on" in the rulebase while it is much easier to stick to policy targets per package 🙂
It is a matter of opinion and practices, IMHO.
To answer the original question, with current versions, it is not possible to do
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Maybe they have policy targets set, but only want a rule to be enforced on 1 of the handful of targets.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I understand that people are using it. I disagree with that being a good practice.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I think its great practice to be specific over being vague in the rule base.
To say otherwise doesn't seem logical to be honest.
As I said, both should be completed. Policy Targets per package to limit the policy, and Install-On field to limit rules within the defined targets where necessary.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Agree to disagree 🙂
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I would make the shared rules a shared inline layer across the multiple policies. Gateways have very specific nets and users behind them, so for the most part you would want to make very specific rules for their sources. Smaller rule sets = easier maintenance.
Check Point Compliance Blade lets you specify a Custom Best Practice where Install On cannot be Policy Targets.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Why not the other way around, we have a customer with a lot of remote sites, they use a part the same rulebase and then we have a part that is specific for each location, you can create an inline layer per site (gateway) with the install on already forced on the main layer rule. That should fix that layer to the specific gateway as well.
Only problem at this moment is that 1400's do not support inline layers as they are still on R77.20.x
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I agree, the "Best Practice" here is to configure the Installation Targets in the policy to be a specific gateway only.
I run several policies in my lab and each Package is tied to a specific gateway:
When you install that policy, it will only install on the selected gateway:
I see a couple issues:
- What if I choose an "Install-On" target that is not one of the Installation Targets? I presume (though I haven't tested) that the rule will simply be ignored on other gateways.
- What if I want to lock a specific "Install-On" target for a specific rule even when using Installation Targets? This is what I think Joshua Hatter is referring to above. It's an interesting use case, but one we don't support today.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Thank you all for replying.
The reason for the question is in a matter of simplification of the policy. When many policy packages is involved in a single connection across many gateways it would, in this case, be easyer to have a single policy and use "Install on".
But as I can see, it all depends on the likes of the admin and local policies
