Create a Post
cancel
Showing results for 
Search instead for 
Did you mean: 
Steve_Pearson
Contributor

Managing multiple gateways with separate policies on a single management server

I'm currently creating a set of new policies for a handful Spark 1555's that are being deployed to branch offices.

Each will have it's own policy, and following what I believe is best practice the policy will define the installation target and the rules in the Access, NAT and QoS policies will have "Policy Targets" in the Install On column.

This is fine for the those policies, but the HTTPS policy are shared, so i'm thinking that these should specifically state the installation target for each rule, and have a separate section title for each "site" to keep them together.

Just wondered how everyone else does this?

Also, I was wondering if it was possible to have a shared layer for rules that are common to all policies. I think it would be possible for a set of block rules, set it as the first layer in each policy, but it wouldn't work for allow rules as it would simply allow it to continue to the next layer, which may then block it. Has anyone else tried this or should I simply stick to totally separate policies?

0 Kudos
21 Replies
the_rock
Legend
Legend

Yep, thats EXACRLY how I did it for few customers and even TAC suggested the same. See, you cannot sadly create separate https policy for different gateways, like you can with regular rule base. I was hoping maybe that would be the case in R82, but does not look like it.

Im still hoping for hit count on https inspection policy too 🙂

Andy

0 Kudos
Steve_Pearson
Contributor

Thanks Andy.

A hit count on HTTPS policy would be very useful and well overdue!

(1)
the_rock
Legend
Legend

Yes, it is overdue, I agree. It would be super useful.

Btw, for your last question, shared layer for common rules, that would be very tricky, because as you already know, traffic has to be ACCEPTED on all ordered layers, otherwise, it would not work. 

Andy

0 Kudos
Steve_Pearson
Contributor

Yeah, that's where I got to and decided that as it's only going to work for drop rules, it's probably better no to bother at all 🙂

the_rock
Legend
Legend

Let me tell you a story about customer I used to support after they switched from Cisco to CP few years ago. So I helped them with moving everything over, we built the policy using smartmove tool after the conversion, Smart-1 cloud option was good for them (they were happy with it), showed them how policy layering worked etc, so I explained to their boss how odered layers work and I told him specifically, do NOT EVER change last layered rule to any any block, as that will block all traffic. He assured me he would not do it, well guess what, one night I get this frantic call from one of his employees and we find out guy (the boss) changed that rule from Europe, where he was on vacation and instead of enjoying his vacation, he decided to do something he was not supposed to do lol

Joys of our job, haha.

Anyway, we fixed it quick, but he felt really embarrassed about it...his reasoning? Thats how it works with Cisco. My usual comeback to that "Last year, I was year younger and now Im not" 😂😂

Andy

0 Kudos
Steve_Pearson
Contributor

🤣🤣🤣

The last few policies I've worked on, including the ones i'm doing now are pretty restrictive and do actually have an any any drop at the end as they prefer to allow the users as required rather than blocking certain stuff and allowing everything else!

0 Kudos
the_rock
Legend
Legend

Thats okay, as long as they dont inadvertently block things at the end lol

Btw, blacklist approach is what CP recommends for URLF layer as well and I do find it works better.

Andy

 

0 Kudos
the_rock
Legend
Legend

@Steve_Pearson 

This is sk Im talking about.

Andy

https://support.checkpoint.com/results/sk/sk112249

blacklist vs whitelist section

0 Kudos
Steve_Pearson
Contributor

This certainly makes sense as it lowers the management overheads significantly.

The approach i've been using was one I picked up off colleague years ago and that is to have a list of group of employees (directors, managers, IT, general users, etc) then create a block list of the categories that each group is not allowed to access.

Then for each user group, a rule that matches AD group membership and has inline rules below it. These rules block the critical risks first, then allow specifics from the categories that are going to be blocked (for example remote control may be blocked as a category but maybe we allow just Teamviewer), then block the category list and finally finish with an accept all clean up rule.

After all of these rules for the groups, the main policy clean up rule would be a drop, which has the effect of dropping all unknown traffic for unknown users or devices.

0 Kudos
PhoneBoy
Admin
Admin

Pretty sure you can assign a separate HTTPS policy to a Policy Package, which should be applicable for SMB.
This has been supported for a while. 

0 Kudos
the_rock
Legend
Legend

But I dont believe that was ever possible for regular Gaia, was it?

Andy

0 Kudos
Tomer_Noy
Employee
Employee

Yup, you can definitely create separate HTTPS Inspection layers for different gateways, if you want.

The default is a shared layer for all policies, because that is the most common use-case. But, if you do want separation (beyond the Install-On column), you can open the "Manage Policies and Layers" dialog and under "Layers" => "HTTPS Inspection" create a new layer.

 

New HTTPS Inspection Layer.png

Then, you can go to your policy package and modify it to use the new HTTPS Inspection layer, instead of the "Default" one.

Select New HTTPS Inspection Layer.png

** You can also select the "New Layer..." button in the Layer selection dialog (instead of going to the "Manage Policies and Layers" dialog).

It's supported on GAIA as well.

the_rock
Legend
Legend

Will try this in my lab, I must have done it a different way past time, hence option was "missing". Thanks @Tomer_Noy 

0 Kudos
the_rock
Legend
Legend

Just tested it and yes, works fine...well, learned something new, thank you!

Andy

0 Kudos
Steve_Pearson
Contributor

Me too, works great, it's a pity you can't clone an existing)

Every day's a school day!

Thanks!

@Tomer_Noy Thanks for the info!

the_rock
Legend
Legend

I agree @Steve_Pearson , super valid point about cloning!

I know you can clone whole policy package, but just wondering @Tomer_Noy , any idea if there are plans to make it work for cloning specific layer?

Andy

0 Kudos
Tomer_Noy
Employee
Employee

Hmmm...

We don't have "clone" for layers, but we do have "copy+paste" for rules, so it's pretty easy to get the same functionality with a few clicks.

Go to your original layer, press "Ctrl+A" to select all rules, right-click and select "Copy": 
Copy HTTPS Rules.png

Then go to your new layer, right-click and select "Paste -> Above":

Paste HTTPS Rules 1.png

Paste HTTPS Rules 2.png

After pasting, you'll probably want to delete the last rule, which is the cleanup from the original layer and is now duplicated.

I hope this helps 😀

Copying & pasting rules is of course very useful for Access rules as well (not just HTTPS Inspection). Not all customers are familiar with the capability.

the_rock
Legend
Legend

It helps, and its easy, yes 🙂

Thanks!

Andy

0 Kudos
Steve_Pearson
Contributor

I use this all the time on access rules, and can't believe I never thought about it on the HTTPS rules!

Thanks again!

the_rock
Legend
Legend

I know, same here lol

Andy

0 Kudos
Tal_Paz-Fridman
Employee
Employee

An alternative—though typically not ideal for a small environment—would be to use an MDS.

This approach allows you to create a Global Policy that can be applied either before or after the local Domain rulebase. Additionally, it enables separate HTTPS Inspection policies for each Domain and Security Gateways.

0 Kudos

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

Upcoming Events

    Tue 18 Mar 2025 @ 09:30 AM (EET)

    CheckMates Live Greece
    CheckMates Events