Create a Post
cancel
Showing results for 
Search instead for 
Did you mean: 
Ole_Jakobsen
Contributor

Force "Install on"

Hi,

Is it possible to force users to choose an install target in the "Install on" collum in the policy?

The purpos is to avoid that the user chooses "Policy targets"

TIA

Best regards

Ole Jakobsen

10 Replies
Danny
Champion Champion
Champion

I second that request.


0 Kudos
_Val_
Admin
Admin

And I wonder why people want to use "install on" in the rulebase while it is much easier to stick to policy targets per package 🙂


It is a matter of opinion and practices, IMHO. 

To answer the original question, with current versions, it is not possible to do

Joshua_Hatter
Employee
Employee

Maybe they have policy targets set, but only want a rule to be enforced on 1 of the handful of targets.

0 Kudos
_Val_
Admin
Admin

I understand that people are using it. I disagree with that being a good practice.

Joshua_Hatter
Employee
Employee

I think its great practice to be specific over being vague in the rule base.

To say otherwise doesn't seem logical to be honest.

As I said, both should be completed. Policy Targets per package to limit the policy, and Install-On field to limit rules within the defined targets where necessary.

_Val_
Admin
Admin

Agree to disagree 🙂

0 Kudos
Tomer_Sole
Mentor
Mentor

I would make the shared rules a shared inline layer across the multiple policies. Gateways have very specific nets and users behind them, so for the most part you would want to make very specific rules for their sources. Smaller rule sets = easier maintenance.

Check Point Compliance Blade lets you specify a Custom Best Practice where Install On cannot be Policy Targets.

Maarten_Sjouw
Champion
Champion

Why not the other way around, we have a customer with a lot of remote sites, they use a part the same rulebase and then we have a part that is specific for each location, you can create an inline layer per site (gateway) with the install on already forced on the main layer rule. That should fix that layer to the specific gateway as well.

Only problem at this moment is that 1400's do not support inline layers as they are still on R77.20.x 

Regards, Maarten
PhoneBoy
Admin
Admin

I agree, the "Best Practice" here is to configure the Installation Targets in the policy to be a specific gateway only.

I run several policies in my lab and each Package is tied to a specific gateway:

When you install that policy, it will only install on the selected gateway:

I see a couple issues:

  • What if I choose an "Install-On" target that is not one of the Installation Targets? I presume (though I haven't tested) that the rule will simply be ignored on other gateways.
  • What if I want to lock a specific "Install-On" target for a specific rule even when using Installation Targets? This is what I think Joshua Hatter‌ is referring to above. It's an interesting use case, but one we don't support today.
Ole_Jakobsen
Contributor

Thank you all for replying.

The reason for the question is in a matter of simplification of the policy. When many policy packages is involved in a single connection across many gateways it would, in this case, be easyer to have a single policy and use "Install on".

But as I can see, it all depends on the likes of the admin and local policies Smiley Happy

0 Kudos

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

Upcoming Events

    CheckMates Events