Create a Post
cancel
Showing results for 
Search instead for 
Did you mean: 
Thomas_Eichelbu
Advisor
Advisor

Is it possible to install a Policy without sending it to the Gateways???

Hello Check Point Guys.

based on this thread:
https://community.checkpoint.com/t5/Management/Policy-Installation-Stages/td-p/23105

is it possible to conduct a Policy Install, but not sending the policy to all install targets?
maybe an odd question.
i have installations with over 100 gateways all over the world. Installing a policy on ALL gateways is a huge time effort.
i know with R81 a simultaneous policy installation will come ... 

but my thinking is ..
compile a policy for all gateways and only copy the policy to its state directory
then make a policy fetch from all GW simultaneously via CLI / script ...

could this speed up the overall policy install?

best regards
Thomas

16 Replies
G_W_Albrecht
Legend Legend
Legend

Look ito sk101226: Policy installation flow process first ! I would install policy on the GW in front of the SMS, and have the other 99 GWs pull it from SMS during hours of low traffic.

CCSP - CCSE / CCTE / CTPS / CCME / CCSM Elite / SMB Specialist
_Val_
Admin
Admin

That' won't work. It is very likely the same policy compiled for different GWs will be different. 

G_W_Albrecht
Legend Legend
Legend

You are correct. Policy for GWs without new policy install on SMS are still the compiled old version, and identical to the local GW policy, so no pull will occur. Just tested that to be sure 😎

CCSP - CCSE / CCTE / CTPS / CCME / CCSM Elite / SMB Specialist
_Val_
Admin
Admin

With more than 100 GWs, why not using LSM profiles?

Thomas_Eichelbu
Advisor
Advisor

Aha, LSM profiles ... i never worked with them so far ...
i will take a look on that ...

i was thinking there is a way to compile a policy for all gateways, but not to send the data to the remote gateways but let them fetch the policy manually.

i will take a look on those LSM profiles!
Thank you.

_Val_
Admin
Admin

If you are installing the same package to 100 GWs, LSM is the best way. The policy file is not push to the GWs, but resides on MGMT, and then GW is fetching it automatically.

Very close to what you are trying to achieve, but by supported means.

Thomas_Eichelbu
Advisor
Advisor

Aha, with "SmartProvisioning" ... this will need an extra licence right?

Mark_Gurevich
Contributor

Hope I am getting your question right - but why not just simply check relevant GW checkboxes in order to avoid pushing to all?

Thomas_Eichelbu
Advisor
Advisor

Hi,
well as always in the Check Point world, it depends!
Sometimes of course i choose only a few policy targets and push a policy to only a small amount of gateways.
But sometimes i have to push a policy because of global relevant policies/settings to ALL gateways on my management.
Selecting 100+ gateways and pressing "install" is not the thing iam concerned about ... but the waiting until all 100+ gateways are finished is a nightmare.
So iam thinking on ways to mitigate that.

So compiling a policy ... and do some magic stuff to let the gateways fetch this new policy package by themself would be great!
its now the question if this would really speed up the process.
a procedure like on SMB GW´s with a scheduled policy fetch is better then nothing, but not what i want.

Of course, all other ways to speed up policy install would be great too! perhaps R81 will help.
But 2h waiting for 100+ GW is not funny!


best regards
Thomas

Mark_Gurevich
Contributor

I see. Have you considered "Install policy presets"? So the policy can be pushed at night

the_rock
Legend
Legend

Policy presets? Never heard of that...where do you set that up?

Mark_Gurevich
Contributor

Well, you have it in MDM context

Thomas_Eichelbu
Advisor
Advisor

Well no, i would consider this a workaround and not a solution.
when i have to install a policy i have to install it now. When the policy is installed later on it could cause issues with other changes my colegues might have done earlier... hiding and all those funny stuff.
But anyhow this Policy Presets are a good feature!
But not all customers are lucky to have a MDM on their hand!

 

Vincent_Bacher
Advisor
Advisor

Maybe you could do some coding using management api and for instance python or bash scripts. 

"mgmt_cli install-policy...."

Here you can use "prepare-only" and when all are prepared, the gateways should be able to fetch the prepared policies. 

Did not test that, just an idea to be verified.

Cheers

 

and now to something completely different - CCVS, CCAS, CCTE, CCCS, CCSM elite
Vladimir
Champion
Champion

Hmm... Take a look at this and see if you can get something working out of it:

CP_Group_Installation Target.png

The idea is to clone your working policy, create an empty group, designate it as a target for installation.

Then populate it with some number of GWs using API, publish, install, rinse and repeat.

Cheers,

Vladimir

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

Upcoming Events

    CheckMates Events