This website uses Cookies. Click Accept to agree to our website's cookie use as described in our Privacy Policy. Click Preferences to customize your cookie settings.
Accept
Reject
Preferences
ABOUT CHECKMATES CYBER SECURITY COMMUNITY & FAQ
Create a Post
Help
cancel
Turn on suggestions
Showing results for 
Search instead for 
Did you mean: 

Are you a member of CheckMates?

×
Sign in with your Check Point UserCenter/PartnerMap account to access more great content and get a chance to win some Apple AirPods! If you don't have an account, create one now for free!
Blason_R
Leader
Leader
‎2018-11-27 07:57 PM

How to merge policies after upgrade from R77.30 to R80.10

Hi Folks,

I just migrated my gaia Mgmt server from R77.30 to R80.10; this installation is Cluster with seperate Mgmt server. everything went successfully; however my concern is how do I start using single policy feature of R80.10 as on r80.10 after migration I see both the layers separate i.e. Application and Network.

Would it be possible to merge the existing policies with network layer and going forward I can use App/URL categoring in the same policy?

Thanks and Regards,
Blason R
CCSA,CCSE,CCCS
4 Replies
PhoneBoy
Admin
Admin
‎2018-11-27 08:34 PM

You can't use the unified policy until your gateways are upgraded to R80.10 or above.

Also, there are quite a number of ways these policies could be unified.

Unification of the policy is left as a manual exercise.

That said, my first attempt at doing this in my lab went something like the following:

  • My App Control policy generally applies to Internet bound traffic
  • There was a rule in my firewall policy that permitted outbound access
  • I changed the action to an inline layer:

  • The inline layer basically contained my "Application" layer from R77.30 (I'd copy/paste the rules versus reuse the same layer, though).

It evolved a bit from here.

One thing also to note: the Implicit Cleanup rule on R77.x App Control policies is an ACCEPT (not a drop) whereas the default is generally a drop.

You can set this on a per-layer basis for layers you install to R80.10 gateways.

As this has implications for constructing your policy, you may need to refactor your existing policy a little bit.

Maarten_Sjouw
Champion
Champion
‎2018-11-28 03:01 PM
In response to PhoneBoy

When you change the layer in the Application policy to a shared layer, you can assign the existing Application policy as inline layer in the access policy. After that you can delete the Application policy.

I have one customer where we have a Policy for their Datacenter where the gateway is R80.10 in this policy we use inline layers, but the Internet access policy is a shared policy, this same policy is also used for the off-net sites where we run a number of Embedded R77.20.x gateways and this is a ordered policy. Now any change done in the inline layer wil result in the change being applied to all company internet access.

Regards, Maarten
0 Kudos
Blason_R
Leader
Leader
‎2018-12-01 09:29 PM
In response to PhoneBoy

Ok - So, I need to create new Inline layer first.

Then copy and paste the rules from my earlier layer?

Thanks and Regards,
Blason R
CCSA,CCSE,CCCS
0 Kudos
Maarten_Sjouw
Champion
Champion
‎2018-12-01 11:44 PM
In response to Blason_R

Nope, you go to the properties of the Application layer Right-click - Edit layer

then you look for the Sharing option:

and tick the box.

Now you click OK twice and you go back to the policy where you want to apply this policy and select the Inline Layer in the Action column and you see Application there. This is the same policy as you have in the application policy.

If it does not show you need to delete the Application layer, once the policy is set to Shared it will not delete the policy.

Remember you can still discard your changes and restore the previous setup.

Regards, Maarten
0 Kudos

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

View All ≫
Upcoming Events

    Sort by:
    CheckMates Events
    Top