This website uses Cookies. Click Accept to agree to our website's cookie use as described in our Privacy Policy. Click Preferences to customize your cookie settings.
Accept
Reject
Preferences
ABOUT CHECKMATES CYBER SECURITY COMMUNITY & FAQ
Create a Post
Help
cancel
Turn on suggestions
Showing results for 
Search instead for 
Did you mean: 

Are you a member of CheckMates?

×
Sign in with your Check Point UserCenter/PartnerMap account to access more great content and get a chance to win some Apple AirPods! If you don't have an account, create one now for free!
Maria_Pologova
Collaborator
‎2019-10-23 02:42 AM

Policy Preset limitation

Our current setup includes four Multi-Domain Management servers, where Domain Management servers are spread across all of them in order to distribute the load. R80.20 Take 107

The issue/limitation we are facing is that in order for Policy Preset (scheduled or not) to work, we must have Global domain Active on the MDM that holds a DMS with policy targets, what breaks the idea of centralized management and makes policy installation automation far away from straightforward.

Also, for the ones who faced the following warning when creating a new Policy Preset - this is the same problem. make sure that Global Domain is active on the MDM that holds the DMS with policy targets.

Capture.PNG

Does someone know if there is a plan to improve this or we need to do a RFE?

 

Additional posts for the similar subjects:

Install Policy Presets not working on R80.20 

6 Replies
Maarten_Sjouw
Champion
Champion
‎2019-10-23 07:47 AM

I can also tell you that in R80.30 when you try to install a policy from the MDG in your setup, it's the same as ours, you get an error that is similar but just states that you need to be logged into the MDS that the DMS is on. Also when you look at Sessions, you will only see sessions from the MDS you are logged in to.
Regards, Maarten
0 Kudos
Maria_Pologova
Collaborator
‎2019-10-23 01:36 PM
In response to Maarten_Sjouw

Yes, you are right.

Was doing some tests regarding policy installation from MDM, and good news is that everything is not that bad as it sounds.
We don't need to set Global Domain Active on MDM where DMS is. In order to run policy installation (scheduled or not) it's enough to be logged into MDM where corresponding DMS is (regardless of it's being secondary or primary DMS)

But what needs to be taken to consideration:
1. Global domain must be active on primary MDS 
2. Last run time is not synchronized across MDMs. If you run policy installation from one MDM, you will not see it on another ones.

It's still quite a limitation for centralized management. We can see all policy packages/target gateways on primary MDM, but not install policy on them.

Maria_Pologova
Collaborator
‎2019-10-24 02:22 PM
In response to Maarten_Sjouw

Was doing some tests again, and turned out that it is actually that bad as I though at the beginning. 

Basically scheduled policy installation is not working indeed until we set Global domain as Active on the MDM where we have DMS with policy targets. However if you just want to install bulk of policies, you just need to be logged into respectful MDM.

Maria_Pologova
Collaborator
‎2019-11-04 04:49 AM

I would like to share our findings and discussion with R&D team on the issue with policy installation preset. 

1. Regarding the need of switching the Global Domain to the MDS server, which holds the target CMA prior to scheduled policy installation. 

This limitation is documented at R80.20 Administration guide - "Multi-Domain Security Management Administration Guide R80.20, Page 36"

Note - The policy preset is installed on the Multi-Domain Server with the active global Domain. If a domain has no domain server on the Multi-Domain Server with the active global Domain, then the policy preset is not installed on this Domain.

2. While connected to the Primary MDS, the policy installation to the gateways on the secondary, tertiary Multi-Domain Security Management servers is not possible.  

This is also a current product limitation. 

3. If the Global Domain will be changed to the secondary MDS server and the policy installation preset will be triggered, the status of the policy installation preset will not appear on the status task pane on Primary MDS. 

This feature is in product road-map and expected to be resolved in the next releases. 

Maarten_Sjouw
Champion
Champion
‎2019-11-04 06:26 AM
In response to Maria_Pologova

3 - Does that also include being able to see the active sessions for the secondary MDS's? As also there the only sessions you see are from the MDS you logged into.
Regards, Maarten
Maria_Pologova
Collaborator
‎2020-01-29 05:23 AM
In response to Maarten_Sjouw

sorry for the late reply, but I bet it is 🙂

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

View All ≫
Upcoming Events

    Sort by:
    CheckMates Events
    Top