- CheckMates
- :
- Products
- :
- Quantum
- :
- Management
- :
- Re: Is it possible to install a Policy without sen...
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark
- Subscribe
- Mute
- Printer Friendly Page
Are you a member of CheckMates?
×- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Is it possible to install a Policy without sending it to the Gateways???
Hello Check Point Guys.
based on this thread:
https://community.checkpoint.com/t5/Management/Policy-Installation-Stages/td-p/23105
is it possible to conduct a Policy Install, but not sending the policy to all install targets?
maybe an odd question.
i have installations with over 100 gateways all over the world. Installing a policy on ALL gateways is a huge time effort.
i know with R81 a simultaneous policy installation will come ...
but my thinking is ...
compile a policy for all gateways and only copy the policy to its state directory
then make a policy fetch from all GW simultaneously via CLI / script ...
could this speed up the overall policy install?
best regards
Thomas
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Look ito sk101226: Policy installation flow process first ! I would install policy on the GW in front of the SMS, and have the other 99 GWs pull it from SMS during hours of low traffic.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
That' won't work. It is very likely the same policy compiled for different GWs will be different.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
You are correct. Policy for GWs without new policy install on SMS are still the compiled old version, and identical to the local GW policy, so no pull will occur. Just tested that to be sure 😎
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
With more than 100 GWs, why not using LSM profiles?
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Aha, LSM profiles ... i never worked with them so far ...
i will take a look on that ...
i was thinking there is a way to compile a policy for all gateways, but not to send the data to the remote gateways but let them fetch the policy manually.
i will take a look on those LSM profiles!
Thank you.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
If you are installing the same package to 100 GWs, LSM is the best way. The policy file is not push to the GWs, but resides on MGMT, and then GW is fetching it automatically.
Very close to what you are trying to achieve, but by supported means.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Aha, with "SmartProvisioning" ... this will need an extra licence right?
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
yes
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hope I am getting your question right - but why not just simply check relevant GW checkboxes in order to avoid pushing to all?
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi,
well as always in the Check Point world, it depends!
Sometimes of course i choose only a few policy targets and push a policy to only a small amount of gateways.
But sometimes i have to push a policy because of global relevant policies/settings to ALL gateways on my management.
Selecting 100+ gateways and pressing "install" is not the thing iam concerned about ... but the waiting until all 100+ gateways are finished is a nightmare.
So iam thinking on ways to mitigate that.
So compiling a policy ... and do some magic stuff to let the gateways fetch this new policy package by themself would be great!
its now the question if this would really speed up the process.
a procedure like on SMB GW´s with a scheduled policy fetch is better then nothing, but not what i want.
Of course, all other ways to speed up policy install would be great too! perhaps R81 will help.
But 2h waiting for 100+ GW is not funny!
best regards
Thomas
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I see. Have you considered "Install policy presets"? So the policy can be pushed at night
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Policy presets? Never heard of that...where do you set that up?
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Well, you have it in MDM context
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Well no, i would consider this a workaround and not a solution.
when i have to install a policy i have to install it now. When the policy is installed later on it could cause issues with other changes my colegues might have done earlier... hiding and all those funny stuff.
But anyhow this Policy Presets are a good feature!
But not all customers are lucky to have a MDM on their hand!
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Maybe you could do some coding using management api and for instance python or bash scripts.
"mgmt_cli install-policy...."
Here you can use "prepare-only" and when all are prepared, the gateways should be able to fetch the prepared policies.
Did not test that, just an idea to be verified.
Cheers
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hmm... Take a look at this and see if you can get something working out of it:
The idea is to clone your working policy, create an empty group, designate it as a target for installation.
Then populate it with some number of GWs using API, publish, install, rinse and repeat.
Cheers,
Vladimir