Create a Post
cancel
Showing results for 
Search instead for 
Did you mean: 
Leonid_German
Explorer

prevent access policy change

Hello,
I am looking for some option to prevent local admin to create rules "on top" of SMP auto -generated rules.
Even if the firewall access policy and URL/App filtering policy configured "manage in SMP" -local admin can still add manual rule with "any-any accept"  on topof those rules  .
In this case all block rule for "undesired applications " are ineffective.

Any ideas?

Thank you.

0 Kudos
7 Replies

Admin is supposed to be able to change policy. But you may create account with "view only" permissions.

PhoneBoy
Admin
Admin

See: https://supportcenter.checkpoint.com/supportcenter/portal?eventSubmit_doGoviewsolutiondetails=&solut...

Note this requires recent firmware and is NOT currently supported on the 1500 series appliances.

Bob_Zimmerman
Advisor

So to be clear, you want to have rules which the device administrator cannot opt out of?

That's what Provider-1's global policies do. You have a "Before" section and an "After" section at the global level. These rules are imposed on the CMAs. Admins at the CMA level cannot make any rules above the "Before" rules from the global policy.

PhoneBoy
Admin
Admin

It's also the kind of functionality SMP supports, just not with 1500 gateways (yet, presumably).

0 Kudos
Bob_Zimmerman
Advisor

And the 1500s can be managed by a SmartCenter, so Provider-1 would work now. 😜

As an aside, does GAiA Embedded have Sofaware bits? I don't think I knew SMP could manage them. Or that SMP was still around, really.

0 Kudos
PhoneBoy
Admin
Admin

Right, but the question was about SMP.
In the Sofaware days, SMP was both a cloud-based and an on-premise management solution for Safe@/UTM-1  EDGE appliances.
It has since been expanded to manage Embedded Gaia appliances, but we no longer offer it as an on-premise solution.

Now, as to whether there are Sofaware bits in Embedded Gaia, I'd say: highly likely.
We did fully acquire Sofaware, after all. 🙂

0 Kudos
Leonid_German
Explorer

Thank you all!
It seems like only Privider-1 management can support full pre and post rules.
SMP portal pre rules are not include applications/url restrictions .
I hope in the future Checkpoint will support pre rules with application control on SMP management.

0 Kudos