This website uses Cookies. Click Accept to agree to our website's cookie use as described in our Privacy Policy. Click Preferences to customize your cookie settings.
Accept
Reject
Preferences
ABOUT CHECKMATES CYBER SECURITY COMMUNITY & FAQ
Create a Post
Help
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

Are you a member of CheckMates?

×
Sign in with your Check Point UserCenter/PartnerMap account to access more great content and get a chance to win some Apple AirPods! If you don't have an account, create one now for free!
Ole_Jakobsen
Contributor
‎2019-01-03 07:35 AM

Force "Install on"

Hi,

Is it possible to force users to choose an install target in the "Install on" collum in the policy?

The purpos is to avoid that the user chooses "Policy targets"

TIA

Best regards

Ole Jakobsen

Labels
10 Replies
Danny
Champion Champion
Champion
‎2019-01-03 08:22 AM

I second that request.


0 Kudos
_Val_
Admin
Admin
‎2019-01-03 08:31 AM
In response to Danny

And I wonder why people want to use "install on" in the rulebase while it is much easier to stick to policy targets per package 🙂


It is a matter of opinion and practices, IMHO. 

To answer the original question, with current versions, it is not possible to do

Joshua_Hatter
Employee
Employee
‎2019-01-03 09:51 AM
In response to _Val_

Maybe they have policy targets set, but only want a rule to be enforced on 1 of the handful of targets.

0 Kudos
_Val_
Admin
Admin
‎2019-01-03 11:53 AM
In response to Joshua_Hatter

I understand that people are using it. I disagree with that being a good practice.

Joshua_Hatter
Employee
Employee
‎2019-01-03 12:10 PM
In response to _Val_

I think its great practice to be specific over being vague in the rule base.

To say otherwise doesn't seem logical to be honest.

As I said, both should be completed. Policy Targets per package to limit the policy, and Install-On field to limit rules within the defined targets where necessary.

_Val_
Admin
Admin
‎2019-01-04 01:55 AM
In response to Joshua_Hatter

Agree to disagree 🙂

0 Kudos
Tomer_Sole
Mentor
Mentor
‎2019-01-04 02:40 AM
In response to Joshua_Hatter

I would make the shared rules a shared inline layer across the multiple policies. Gateways have very specific nets and users behind them, so for the most part you would want to make very specific rules for their sources. Smaller rule sets = easier maintenance.

Check Point Compliance Blade lets you specify a Custom Best Practice where Install On cannot be Policy Targets.

Maarten_Sjouw
Champion
Champion
‎2019-01-04 04:50 AM
In response to Tomer_Sole

Why not the other way around, we have a customer with a lot of remote sites, they use a part the same rulebase and then we have a part that is specific for each location, you can create an inline layer per site (gateway) with the install on already forced on the main layer rule. That should fix that layer to the specific gateway as well.

Only problem at this moment is that 1400's do not support inline layers as they are still on R77.20.x 

Regards, Maarten
PhoneBoy
Admin
Admin
‎2019-01-03 10:01 AM

I agree, the "Best Practice" here is to configure the Installation Targets in the policy to be a specific gateway only.

I run several policies in my lab and each Package is tied to a specific gateway:

When you install that policy, it will only install on the selected gateway:

I see a couple issues:

  • What if I choose an "Install-On" target that is not one of the Installation Targets? I presume (though I haven't tested) that the rule will simply be ignored on other gateways.
  • What if I want to lock a specific "Install-On" target for a specific rule even when using Installation Targets? This is what I think Joshua Hatter‌ is referring to above. It's an interesting use case, but one we don't support today.
Ole_Jakobsen
Contributor
‎2019-01-11 01:19 AM

Thank you all for replying.

The reason for the question is in a matter of simplification of the policy. When many policy packages is involved in a single connection across many gateways it would, in this case, be easyer to have a single policy and use "Install on".

But as I can see, it all depends on the likes of the admin and local policies Smiley Happy

0 Kudos

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

View All ≫
Upcoming Events

    CheckMates Events