Create a Post
cancel
Showing results for 
Search instead for 
Did you mean: 
khineminn
Contributor

Understanding Checkpoint Policy Packages

Could someone explain the details regarding policy packages? Let's assume we have two policy packages: 1. Standard and 2. HQ_Policy.

  1. The HQ_Policy is installed on a specific gateway.
  2. The Standard policy is installed on all gateways.

In this case, how do both rules interact, and what is the order in which the policy packages are applied?

Thanks in advance!

0 Kudos
8 Replies
AkosBakos
Advisor

Hi @khineminn 

One gateway or cluster can have only one policy.

Let me explain with my words:

You can install Standard policy to any gateways or clusters in your domain. The HQ_Policy can be installed on a specifix gateway. You can set the installation target under Manage Policy packages,

There is no such way one gateway has 2 polices in one time (no merged, mixed, union). If you installed HQ_Policy to eg.: GW_HQ_clu then you want to install Standard to GW_HQ_clu, you will get a message -> HQ_Policy is installed, do you really want to install Standard?

Otherwise If you want to create an union of two policies -> simply copy them into a new policy package.

Akos

----------------
\m/_(>_<)_\m/
0 Kudos
khineminn
Contributor

Hi @AkosBakos 

It makes sense. I'm confused about the following, and please let me know how it will work. There is only one gateway and which policy package will pick?
 
Manage Policy Layers
!
Standard _ Policy Target > All Gateways
HQ_Policy _ Policy Target > All Gateways
 
 
Each Policy Package
!
Standard _ Install On > HQ Gateway
HQ_Policy _ Install On > HQ Gateway

 

0 Kudos
AkosBakos
Advisor

Hi @khineminn 

That policy will picked, which will be pushed to the gateway first time. Gateway with no policy has an "initial" policy which will allow only the necessary port, GAIA portal, SSH, PING tot the MGMT address. Nothing more.

It is clear now? 🙂

Akos

----------------
\m/_(>_<)_\m/
(1)
khineminn
Contributor

Hi @AkosBakos 

Thanks for your explanation. It is clear now. 

0 Kudos
CP_Chris
Employee Employee
Employee

I am a little late to the conversation, but I think there may be something missed here. To start with, a policy package is what is used to set the security for a firewall based on the rules and settings within it. Within a policy, it is possible to have different Policy Layers.

A Policy Package can be assigned to either All Gateways, or to specific gateways. This changes the available gateways you see when you click the install button. What is installed on the gateway is the policy package - including the layers included in that specific policy package.

Layers are used within the policy package, but cannot be assigned to specific gateways. @AkosBakos is correct in the statement that a gateway can only have one policy package installed at a time. You have to choose the Policy Package you want to install, and in doing so, you will have the option to select one or more of the gateways that are set as Installation targets. This is set in the manage policies, not in the rules themselves. 

I think when you are stating policy layers above, you are referring to the individual rules within the policy layer. This has the "Install On" column that is by default set to to Policy Targets. This means the rule will be applied to any gateway this Policy Package is installed on. If you have 5 firewalls, and you have a single policy package for all of them, and the Install On column is set to policy targets, all 5 firewalls will enforce that rule. You can however change the install on column to one or more of those 5 firewalls. That means the rule, when installed, will only be enforced on the firewalls designated within the install on column of the rule.

Now the best practice is if you have multiple policy packages, you should set the installation target to only allow the gateways the policy package applies to. Additionally, you should not have multiple policy packages that can be installed on the same gateway. There are some exceptions - like if you are cleaning up a policy, or merging policies. But this should be short-lived, and after the cleanup, the old policy should be removed to make sure it is not accidentally installed. 

Not sure if anyone is following this any longer, but hopefully it helps clear things up a bit. 

Bob_Zimmerman
Authority
Authority


@CP_Chris wrote:

A Policy Package can be assigned to either All Gateways, or to specific gateways. This changes the available gateways you see when you click the install button. What is installed on the gateway is the policy package - including the layers included in that specific policy package.


One really important note: the use of "assigned to" here is potentially misleading. A policy package can be available for installation on all gateways or a list of specific gateways. Adding a gateway to this list doesn't actually affect anything on that gateway until the policy is built and pushed.

A gateway runs exactly one policy package at all times. Out of the box, every Check Point firewall comes with InitialPolicy (which allows management traffic) and defaultFilter (which drops everything). Which one of those two it runs depends on how it started up.

The policy package on a gateway may be replaced by a second policy package, but then the gateway no longer has any of the rules or configuration from the first policy package. Two policy packages may not be installed at one time. The policy package a gateway runs is the last one pushed to it. If you push a different policy package to it, there will be a traffic outage, then new connections can be opened based on the rules in the new policy package.

JozkoMrkvicka
Authority
Authority

Once SMS or new Domain on MDS is created, by default, Standard policy package is created. That default policy package has only one rule by default - clean-up rule (any-any-any-drop). Standard policy package has by default Installation Targets set as All gateways. That means, Standard policy package can be installed on any productive gateway. Of course you will get warning if any custom-made policy package was already installed on some gateway, that all rules from previous policy will be replaced by Standard policy package (all drop). If administrator did not read the warning, it can be installed and causing outages.

I see this Standard policy package as confusing and should be removed after new policy package is created and installed.

Why is this Standard policy package created by default on new SMS or Domains ? Let the user create dedicated policy so in the future nobody can at any time install policy which he/she didnt create manually.

Kind regards,
Jozko Mrkvicka
PhoneBoy
Admin
Admin

To answer the question of why would likely require going back to the earliest days of the product, as this is where this behavior originated.
If I had to guess, it was for initial product usability.
On the community, I see people still using this "Standard" policy.

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

Upcoming Events

    CheckMates Events