This website uses Cookies. Click Accept to agree to our website's cookie use as described in our Privacy Policy. Click Preferences to customize your cookie settings.
Accept
Reject
Preferences
ABOUT CHECKMATES CYBER SECURITY COMMUNITY & FAQ
Create a Post
Help
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

Are you a member of CheckMates?

×
Sign in with your Check Point UserCenter/PartnerMap account to access more great content and get a chance to win some Apple AirPods! If you don't have an account, create one now for free!
Morten__
Participant
‎2018-12-12 05:55 AM

MDM and global policies with security zones

I have a MDM with 5 domains and a global domain.

I would like to use a single global policy in the global domain for all the MDM-server domains.
I would also like to use security zones in the policy - this requires that the security rules are only installed on the Firewall's where the referenced security zones are defined. Otherwise a install error will occur.
I have created the security zones in the global domain and attached these to the relevant Firewall interfaces (in the different domains).
I have created installOn_xyz_global dynamic network objects in the global domain and used these on the InstallOn column for the rules.
I have created installOn_xyz_global groups in the domains - representing the installOn groups for the different rules.
But if a firewall rule is to be installed on Firewall "abc" which is configured in domain 2 then the installOn_abc_global in domain 1 is empty (because the Firewall is not configured in domain 1). Then installOn_abc_global in domain 2 contains Firewall "abc".
But policy installation in domain 1 fails because the InstallOn contains a group (installOn_abc_global) which is empty - and you cannot have an empty group in the installOn column.
How to solve this?

One workaround I have found (but a rather ugly one), is to define a dummy Firewall object (a VPN Edge object) and add this the all the installOn_xyz_groups which are empty. Then I can install the global policy without errors.

BR,

Morten

2 Replies
Maarten_Sjouw
Champion
Champion
‎2018-12-12 02:10 PM

Instead of using a installOn_xyz_global for each domain, you create one that you use in all domains, per domain you add the gateways within that domain which need the global Security Zones policy.

When you have domains that do not use the security zones you create a different Global  policy and assign that to those domains.

Regards, Maarten
0 Kudos
Morten__
Participant
‎2018-12-13 01:09 PM
In response to Maarten_Sjouw

Yes, I know you can do it with multiple global polices, but my goal is to use a single global policy.

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

View All ≫
Upcoming Events

    Sort by:
    CheckMates Events