Create a Post
cancel
Showing results for 
Search instead for 
Did you mean: 
Thomas_Eichelbu
Collaborator

Is it possible to install a Policy without sending it to the Gateways???

Hello Check Point Guys.

based on this thread:
https://community.checkpoint.com/t5/Management/Policy-Installation-Stages/td-p/23105

is it possible to conduct a Policy Install, but not sending the policy to all install targets?
maybe an odd question.
i have installations with over 100 gateways all over the world. Installing a policy on ALL gateways is a huge time effort.
i know with R81 a simultaneous policy installation will come ... 

but my thinking is ..
compile a policy for all gateways and only copy the policy to its state directory
then make a policy fetch from all GW simultaneously via CLI / script ...

could this speed up the overall policy install?

best regards
Thomas

0 Kudos
16 Replies
G_W_Albrecht
Legend
Legend

Look ito sk101226: Policy installation flow process first ! I would install policy on the GW in front of the SMS, and have the other 99 GWs pull it from SMS during hours of low traffic.

0 Kudos
_Val_
Admin
Admin

That' won't work. It is very likely the same policy compiled for different GWs will be different. 

0 Kudos
G_W_Albrecht
Legend
Legend

You are correct. Policy for GWs without new policy install on SMS are still the compiled old version, and identical to the local GW policy, so no pull will occur. Just tested that to be sure 😎

0 Kudos
_Val_
Admin
Admin

With more than 100 GWs, why not using LSM profiles?

0 Kudos
Thomas_Eichelbu
Collaborator

Aha, LSM profiles ... i never worked with them so far ...
i will take a look on that ...

i was thinking there is a way to compile a policy for all gateways, but not to send the data to the remote gateways but let them fetch the policy manually.

i will take a look on those LSM profiles!
Thank you.

0 Kudos
_Val_
Admin
Admin

If you are installing the same package to 100 GWs, LSM is the best way. The policy file is not push to the GWs, but resides on MGMT, and then GW is fetching it automatically.

Very close to what you are trying to achieve, but by supported means.

0 Kudos
Thomas_Eichelbu
Collaborator

Aha, with "SmartProvisioning" ... this will need an extra licence right?

0 Kudos
_Val_
Admin
Admin

yes

0 Kudos
Mark_Gurevich
Contributor

Hope I am getting your question right - but why not just simply check relevant GW checkboxes in order to avoid pushing to all?

0 Kudos
Thomas_Eichelbu
Collaborator

Hi,
well as always in the Check Point world, it depends!
Sometimes of course i choose only a few policy targets and push a policy to only a small amount of gateways.
But sometimes i have to push a policy because of global relevant policies/settings to ALL gateways on my management.
Selecting 100+ gateways and pressing "install" is not the thing iam concerned about ... but the waiting until all 100+ gateways are finished is a nightmare.
So iam thinking on ways to mitigate that.

So compiling a policy ... and do some magic stuff to let the gateways fetch this new policy package by themself would be great!
its now the question if this would really speed up the process.
a procedure like on SMB GW´s with a scheduled policy fetch is better then nothing, but not what i want.

Of course, all other ways to speed up policy install would be great too! perhaps R81 will help.
But 2h waiting for 100+ GW is not funny!


best regards
Thomas

0 Kudos
Mark_Gurevich
Contributor

I see. Have you considered "Install policy presets"? So the policy can be pushed at night

0 Kudos
the_rock
Leader
Leader

Policy presets? Never heard of that...where do you set that up?

0 Kudos
Mark_Gurevich
Contributor

Well, you have it in MDM context

0 Kudos
Thomas_Eichelbu
Collaborator

Well no, i would consider this a workaround and not a solution.
when i have to install a policy i have to install it now. When the policy is installed later on it could cause issues with other changes my colegues might have done earlier... hiding and all those funny stuff.
But anyhow this Policy Presets are a good feature!
But not all customers are lucky to have a MDM on their hand!

 

0 Kudos
Vincent_Bacher
Advisor

Maybe you could do some coding using management api and for instance python or bash scripts. 

"mgmt_cli install-policy...."

Here you can use "prepare-only" and when all are prepared, the gateways should be able to fetch the prepared policies. 

Did not test that, just an idea to be verified.

Cheers

 

and now to something completely different
0 Kudos
Vladimir
Champion
Champion

Hmm... Take a look at this and see if you can get something working out of it:

CP_Group_Installation Target.png

The idea is to clone your working policy, create an empty group, designate it as a target for installation.

Then populate it with some number of GWs using API, publish, install, rinse and repeat.

Cheers,

Vladimir

0 Kudos