Create a Post
cancel
Showing results for 
Search instead for 
Did you mean: 
Highlighted
Contributor

Getting Started Managing Multiple Gateways

Jump to solution

Hi All,

We have just purchased a couple of smaller security gateways for remote offices (cool!). I have a 12400 series appliance on site at our main office here, along with a management server, etc. 

I am starting to read up and plan for configuring these new gateways, and I am trying to find some information on managing multiple gateways from a single management server, and how I would create and apply policy. This is of course assuming that using a single management server is realistic? The remote offices are small with only a handful of users at each, so I am not worried about moving lots of logs or anything; I am mostly just curious about designing and deploying policy. 

Any tips / advice would be greatly appreciated! (Sorry, still using R77.30, and I wasn't sure where else to post!)

~David

Labels (2)
0 Kudos
1 Solution

Accepted Solutions
Highlighted
Admin
Admin

This is a fine place to post your question Smiley Happy

Unified management is definitely the way to go here, it will make your life simpler in the end. There's a couple of approaches you can take in terms of building policy:

1. One policy to rule them all. Create a single policy that applies to all your gateways. You can create gateway-specific rules that are only applied on specific gateways (using the Install-On column). This is not an approach I see regularly and I think it makes the policy more complicated overall. It's not what I would recommend.

2. Create a different policy package for your Branch Offices. If you want to use your existing policy as a basis, you can do a File > Save As and create a new Policy Package (after saving other changes you might have made). One thing you definitely want to do to ensure the wrong policy isn't installed on the wrong gateways is go to Policy > Policy Package Installation Targets and specify the specific gateways the Policy Package applies to.

 

The downside to #2 is that you will have to duplicate rules (particularly App Control/URL Filtering rules) across your two policy packages, but the resulting policies should be simpler to manage.

When you upgrade to R80.10+, you can have both policies use the same App Control/URL Filtering rules using the same inline layer. 

I realize this will probably result in more questions, but it should be enough to get you started.

View solution in original post

0 Kudos
8 Replies
Highlighted
Admin
Admin

This is a fine place to post your question Smiley Happy

Unified management is definitely the way to go here, it will make your life simpler in the end. There's a couple of approaches you can take in terms of building policy:

1. One policy to rule them all. Create a single policy that applies to all your gateways. You can create gateway-specific rules that are only applied on specific gateways (using the Install-On column). This is not an approach I see regularly and I think it makes the policy more complicated overall. It's not what I would recommend.

2. Create a different policy package for your Branch Offices. If you want to use your existing policy as a basis, you can do a File > Save As and create a new Policy Package (after saving other changes you might have made). One thing you definitely want to do to ensure the wrong policy isn't installed on the wrong gateways is go to Policy > Policy Package Installation Targets and specify the specific gateways the Policy Package applies to.

 

The downside to #2 is that you will have to duplicate rules (particularly App Control/URL Filtering rules) across your two policy packages, but the resulting policies should be simpler to manage.

When you upgrade to R80.10+, you can have both policies use the same App Control/URL Filtering rules using the same inline layer. 

I realize this will probably result in more questions, but it should be enough to get you started.

View solution in original post

0 Kudos
Highlighted

Dameon Welch Abernathy wrote:

The downside to #2 is that you will have to duplicate rules (particularly App Control/URL Filtering rules) across your two policy packages, but the resulting policies should be simpler to manage.

 

When you upgrade to R80.10+, you can have both policies use the same App Control/URL Filtering rules using the same inline layer. 

With R80 and R80.10 Management, you can change the application control & URL filtering layer to shared layer and reuse that layer across your multiple policies - see https://community.checkpoint.com/thread/1091 .

The ability to share the same set of rules is a Management-Only feature, therefore you can start by just upgrading your Management to R80.10, use this feature, and later plan your Gateway migration. 

If I could recommend on best practices for policy organization, I would start by upgrading the Management server so you can start enjoying some of the benefits of layers. Later you could also upgrade your gateway and segment your rule sets into smaller chunks, which can give you the better ease of management.

hope this helps

0 Kudos
Highlighted
Contributor

Thanks to you both for the responses - I appreciate the guidance on separate policy packages and layers, etc.

So, I hadn't thought about just upgrading the management software up to R80.10... I am trying to get enrolled in a CCSA / CCSE class - I was initially thinking to go with a R77.30 class, but maybe I will go to 80.10.

 Thanks again!

~D

0 Kudos
Highlighted
Admin
Admin

Personally, I think if you're just learning about Check Point now, it's best to learn on the most recent version as there are some significant differences between R80+ and R77.x.

Even if you keep your gateways at R77.30 for the time being, there will be significant benefit to upgrading your management to R80+.

0 Kudos
Highlighted
Contributor

Dameon,

Thanks so much - and I agree. I have been going back and forth on it... but R80 it is Smiley Happy

Best,

~D

0 Kudos
Highlighted
Employee+
Employee+

I would start with user and application policy awareness.

SDP : Software-Defined Protection (SDP) | Check Point Software  

0 Kudos
Highlighted
Contributor

Thanks for the comment Ofir!

Just to keep things simple - SDP is just an approach to applying Check Point's software, yes? This is not another product / blade / service, per-se?

Thanks!!

0 Kudos
Highlighted
Admin
Admin

SDP describes a security architecture, it is not a product or service.