Hi CheckMates,

I’d like to introduce a concept that could simplify and streamline security policy management in environments with multiple Check Point clusters, particularly those that currently rely on dedicated policies for each cluster. The idea is to leverage a single global security policy with inline layers for different clusters, effectively recreating the functionalities of an MDS (Multi-Domain Security Management, e.g. global rules, global objects) setup without the complexity of managing multiple policies.

Concept
Imagine using a single, centralized SmartCenter policy to define your global security framework, while still enabling distinct security configurations for each of your clusters. This is done by applying Inline Layer Rules that target specific gateways or groups of gateways as needed, all under the umbrella of a global policy.

Here’s an example breakdown of how it might work:

Global firewall section

These rules apply globally across all gateways in the infrastructure.

Inline Section

Each parent rule here essentially represents an “Inline Layer” that links to specific configurations for the individual clusters or gateway types in your infrastructure. Note: You cannot have multiple inline layers like these for the same installation targets, i.e. your global section (see rule #4) must be ordered within your normal rulebase and cannot be an inline layer.

How to verify the rulebase installed on each gateway
Simply run db_tool -p $FWDIR/state/local/FW1 get_rules to verify the installed rulebase on your gateway.

Why this matters
This approach can be especially useful when you are working with multiple clusters but want to minimize the overhead of managing several, potentially lengthy security policies. Instead of managing one policy per cluster, you can consolidate these policies into a single global policy, then layer your specific configurations (firewall, VPN, etc.) on top of that, all while continuing to manage individual gateway-specific settings in the inline layers.

By doing this, you can:

• Improve policy management: A centralized policy, combined with inline layers for individual cluster configurations, simplifies updates and reduces the chance of human error when managing multiple policies.

• Ease migration: You can migrate from multiple security policies to a unified model incrementally, all while keeping your network fully operational.

• Minimize the risk of outages: The inline layer concept allows for gradual merging of policies. Changes can be introduced one step at a time, without disrupting the entire infrastructure.

What I'm looking for
I’d love to hear feedback from the community. Have you tried similar approaches in your environments? What challenges have you faced with consolidating multiple security policies of several clusters or gateways? Do you see any potential roadblocks with the approach I’ve outlined? And are there any specific use cases where this would be particularly beneficial—or maybe not the best fit?

Looking forward to hearing your thoughts, ideas, and any suggestions you might have!

@mroethlein