This website uses Cookies. Click Accept to agree to our website's cookie use as described in our Privacy Policy. Click Preferences to customize your cookie settings.
Accept
Reject
Preferences
ABOUT CHECKMATES CYBER SECURITY COMMUNITY & FAQ
Create a Post
Help
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

Are you a member of CheckMates?

×
Sign in with your Check Point UserCenter/PartnerMap account to access more great content and get a chance to win some Apple AirPods! If you don't have an account, create one now for free!
Danny
MVP Platinum
MVP Platinum
‎2025-11-04 04:19 AM

Simplifying Check Point Policy Management

Hi CheckMates,

I’d like to introduce a concept that could simplify and streamline security policy management in environments with multiple Check Point clusters, particularly those that currently rely on dedicated policies for each cluster. The idea is to leverage a single global security policy with inline layers for different clusters, effectively recreating the functionalities of an MDS (Multi-Domain Security Management, e.g. global rules, global objects) setup without the complexity of managing multiple policies.

Concept
Imagine using a single, centralized SmartCenter policy to define your global security framework, while still enabling distinct security configurations for each of your clusters. This is done by applying Inline Layer Rules that target specific gateways or groups of gateways as needed, all under the umbrella of a global policy.

Here’s an example breakdown of how it might work:

Global firewall section

global_rules.png

These rules apply globally across all gateways in the infrastructure.

Inline Section

parent_targets.png

Each parent rule here essentially represents an “Inline Layer” that links to specific configurations for the individual clusters or gateway types in your infrastructure. Note: You cannot have multiple inline layers like these for the same installation targets, i.e. your global section (see rule #4) must be ordered within your normal rulebase and cannot be an inline layer.

How to verify the rulebase installed on each gateway
Simply run db_tool -p $FWDIR/state/local/FW1 get_rules to verify the installed rulebase on your gateway.

Why this matters
This approach can be especially useful when you are working with multiple clusters but want to minimize the overhead of managing several, potentially lengthy security policies. Instead of managing one policy per cluster, you can consolidate these policies into a single global policy, then layer your specific configurations (firewall, VPN, etc.) on top of that, all while continuing to manage individual gateway-specific settings in the inline layers.

By doing this, you can:

  • Improve policy management: A centralized policy, combined with inline layers for individual cluster configurations, simplifies updates and reduces the chance of human error when managing multiple policies.

  • Ease migration: You can migrate from multiple security policies to a unified model incrementally, all while keeping your network fully operational.

  • Minimize the risk of outages: The inline layer concept allows for gradual merging of policies. Changes can be introduced one step at a time, without disrupting the entire infrastructure.

What I'm looking for
I’d love to hear feedback from the community. Have you tried similar approaches in your environments? What challenges have you faced with consolidating multiple security policies of several clusters or gateways? Do you see any potential roadblocks with the approach I’ve outlined? And are there any specific use cases where this would be particularly beneficial—or maybe not the best fit?

Looking forward to hearing your thoughts, ideas, and any suggestions you might have!

@mroethlein 

5 Replies
PhoneBoy
Admin
Admin
‎2025-11-04 04:02 PM

I always thought an excellent use for an inline layer is an Internet Access Policy.
You can restrict the outgoing ports this way, too.
You can also use inline layers as a form of policy optimization for services that force slowpath.
That's just my own vision, though I am interested in seeing how others are leveraging these features.

One thing to be aware of here is the total number of layers allowed (251, I think).

Bob_Zimmerman
MVP Gold
MVP Gold
‎2025-11-04 05:57 PM

I would be slightly concerned someone might try to add an inline layer in the "Global" section, then would be confused by why tons of other lower rules are suddenly not being hit. As long as people who implement this make sure everybody understands that all changes to the top-level rules need expert review, it seems good.

Duane_Toler
MVP Silver
MVP Silver
‎2025-11-06 05:28 PM
In response to Bob_Zimmerman

I'm sure you know, too, but you can also delegate administrative permissions to a layer.  Assign specific admins permissions to the whole policy, but then delegate "lesser" admins to just their own layer, etc.  Great way to limit the blast radius of mistakes by others (and limits your liability!). double-plus-bonus win? 😆

--
Ansible for Check Point APIs series: https://www.youtube.com/@EdgeCaseScenario and Substack
0 Kudos
Magnus-Holmberg
MVP Silver
MVP Silver
‎2025-11-05 12:34 AM

Global policys are great, core feature of MDS 🙂

i would say an important thing when working with multiple firewalls is to decide early where to place the rules in case there are several firewalls that the traffic passes thru.

In regards to inline layer, make sure to use it where u have dynamic objects such as geo blocking.
ie.. use inline layer with source external interface if wanting to block a specific country.
This as, if the GW is loose its DB of the dynamic objects it translate to an "any" object.
During a some upgrades we done this meant outages for alot of traffic before using inline layers in that case.

Personally i would also be careful on what GW you do combine in the same policy.
ie if you have 10 GW that all are acting as "office firewalls" to reach internet, by all means use one policy.
But i would avoid putting datacenter firewalls and office firewalls together in the same policy are rely on install on.
It all looks great in concepts, but datacenter firewalls tends to end up in several hundred lines of policy.

https://www.youtube.com/c/MagnusHolmberg-NetSec
Timothy_Hall
MVP Gold
MVP Gold
‎2025-11-10 06:34 AM

The only issue I can think of is that per-policy package settings, which can normally be set separately for a single gateway, may not be available.  For example, whether Autonomous Threat Prevention is enabled on a gateway is controlled at the object level, but the Autonomous profile selection is set per policy package, and all gateways in that policy package must use the same one.   There may be other examples of this, but I can't think of any right now.

Gaia 4.18 (R82) Immersion Tips, Tricks, & Best Practices Video Course
Now Available at https://shadowpeak.com/gaia4-18-immersion-course
0 Kudos

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

View All ≫
Upcoming Events

    CheckMates Events