This website uses Cookies. Click Accept to agree to our website's cookie use as described in our Privacy Policy. Click Preferences to customize your cookie settings.
Accept
Reject
Preferences
ABOUT CHECKMATES CYBER SECURITY COMMUNITY & FAQ
Create a Post
Help
cancel
Turn on suggestions
Showing results for 
Search instead for 
Did you mean: 

Are you a member of CheckMates?

×
Sign in with your Check Point UserCenter/PartnerMap account to access more great content and get a chance to win some Apple AirPods! If you don't have an account, create one now for free!
Leonid_German
Participant
‎2020-12-30 12:45 AM

prevent access policy change

Hello,
I am looking for some option to prevent local admin to create rules "on top" of SMP auto -generated rules.
Even if the firewall access policy and URL/App filtering policy configured "manage in SMP" -local admin can still add manual rule with "any-any accept"  on topof those rules  .
In this case all block rule for "undesired applications " are ineffective.

Any ideas?

Thank you.

0 Kudos
7 Replies
HristoGrigorov
Mentor
Mentor
‎2020-12-30 08:08 AM

Admin is supposed to be able to change policy. But you may create account with "view only" permissions.

PhoneBoy
Admin
Admin
‎2020-12-30 08:13 AM

See: https://supportcenter.checkpoint.com/supportcenter/portal?eventSubmit_doGoviewsolutiondetails=&solut...

Note this requires recent firmware and is NOT currently supported on the 1500 series appliances.

Bob_Zimmerman
Authority
Authority
‎2020-12-30 08:21 AM

So to be clear, you want to have rules which the device administrator cannot opt out of?

That's what Provider-1's global policies do. You have a "Before" section and an "After" section at the global level. These rules are imposed on the CMAs. Admins at the CMA level cannot make any rules above the "Before" rules from the global policy.

PhoneBoy
Admin
Admin
‎2020-12-30 08:50 AM
In response to Bob_Zimmerman

It's also the kind of functionality SMP supports, just not with 1500 gateways (yet, presumably).

0 Kudos
Bob_Zimmerman
Authority
Authority
‎2020-12-30 01:28 PM
In response to PhoneBoy

And the 1500s can be managed by a SmartCenter, so Provider-1 would work now. 😜

As an aside, does GAiA Embedded have Sofaware bits? I don't think I knew SMP could manage them. Or that SMP was still around, really.

0 Kudos
PhoneBoy
Admin
Admin
‎2020-12-30 01:53 PM
In response to Bob_Zimmerman

Right, but the question was about SMP.
In the Sofaware days, SMP was both a cloud-based and an on-premise management solution for Safe@/UTM-1  EDGE appliances.
It has since been expanded to manage Embedded Gaia appliances, but we no longer offer it as an on-premise solution.

Now, as to whether there are Sofaware bits in Embedded Gaia, I'd say: highly likely.
We did fully acquire Sofaware, after all. 🙂

0 Kudos
Leonid_German
Participant
‎2020-12-31 12:35 AM

Thank you all!
It seems like only Privider-1 management can support full pre and post rules.
SMP portal pre rules are not include applications/url restrictions .
I hope in the future Checkpoint will support pre rules with application control on SMP management.

0 Kudos

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

View All ≫
Upcoming Events

    Sort by:
    CheckMates Events
    li.common.scroll-to.top