This website uses Cookies. Click Accept to agree to our website's cookie use as described in our Privacy Policy. Click Preferences to customize your cookie settings.
Accept
Reject
Preferences
ABOUT CHECKMATES CYBER SECURITY COMMUNITY & FAQ
Create a Post
Help
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

Are you a member of CheckMates?

×
Sign in with your Check Point UserCenter/PartnerMap account to access more great content and get a chance to win some Apple AirPods! If you don't have an account, create one now for free!
E_Lastname
Participant
‎2017-10-18 09:01 PM

Global Policy Assignment Question for Multiple CMAs

Hello Everyone,

I noticed at work that we might not be following best practices for global rules hence the reason for this post. We have multiple CMAs for different regions. One for example is Europe and the other Asia. I noticed that the there are global rules setup for common domain controllers however the sources are defined as all global Europe and Asia networks going to a global DC group . Although everything works, this does not seem right to me. The firewall from Europe will check every packet arriving and waste resources trying to match the traffic to networks that do not exist behind it.  Let's say that a packet arrives destine for LDAP, the firewall will still look up all the sources [both Europe/Asia] to attempt a match when it really just needs to look up Europe networks.

Hope this makes sense so far.

The other one that I noticed is that we have two almost identical global rules. One has Asia networks as source and a mix of both Asia/Europe destination hosts. The other is the exact same but using Europe as the source. If rules are processed in order, this means that my Europe CMA firewalls will process the traffic against the first global rule which it will never match and then check it against the rule that is destine for its networks. This again is wasting resources.

My thoughts here and what I am thinking of suggesting is the following. Instead of sharing a single common global policy, only use the global groups. Separate the sites and use global groups within the CMAs where common hosts exists for both regions and not a shared rule in a global policy if part of the sources or destinations will never be matched. This to me seems like a better approach.

Sorry for the long post. Please let me know if more clarifications need to be provided.

0 Kudos
1 Reply
Maarten_Sjouw
Champion
Champion
‎2017-11-27 11:35 AM

There is another way to do what you what you want. Create what is called some Dymanic global objects, groups in this case, that you can use in the global policy, where instead of creating 2 rules, which have the same function only different source and destination, you create 1 rule with the newly created global dynamic objects in them as source and destination. Naming forGlobal dynamic objects is ending in _global ie Regional_AD_servers_global

In the CMA itself you create a standard simple group with the exact same name as the dynamic object you created in the global rulebase. In the CMA you add the AD servers for that region into that group, it can be global objects or CMA local objects.

this way you can easily create a global rule that is more general than you would expect. We use this to allow access to specific devices or networks that need to be added into the global groups. 

In the global rules we have our management access control towards the FW's themselves, the SSH and GUI access is controlled to be allowed only from specific hosts and the destinations are set by the GBL.Gateways_global group where we add the FW's. I hope this helps and gives you a better idea how to control things in a more elegant way.

Regards, Maarten
0 Kudos

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

View All ≫
Upcoming Events

    Sort by:
    CheckMates Events