This website uses Cookies. Click Accept to agree to our website's cookie use as described in our Privacy Policy. Click Preferences to customize your cookie settings.
Accept
Reject
Preferences
ABOUT CHECKMATES CYBER SECURITY COMMUNITY & FAQ
Create a Post
Help
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

Are you a member of CheckMates?

×
Sign in with your Check Point UserCenter/PartnerMap account to access more great content and get a chance to win some Apple AirPods! If you don't have an account, create one now for free!
Tomer_Sole
Mentor
Mentor
‎2016-01-28 08:39 AM
Jump to solution

How do layers work in a multi-domain environment?

What are the changes that were made in Multi-Domain environments in regard to layers? What is the new "Domain Layer" concept?

Message was edited by: Tomer Sole

0 Kudos
1 Solution

Accepted Solutions
Tomer_Sole
Mentor
Mentor
‎2016-01-28 08:45 AM
Jump to solution

Multi-domain policies in R80 utilize the layers concept, in order to segregate different parts of the rulebase for different permission profiles. Since Multi-Domain is a Management server-only concept, many of its features apply for all existing Gateways without the need to upgrade them.

A global policy can be split into different ordered layers. Read all about ordered layers at Layers in R80. For Pre-R80 Gateways, this means that an administrator can add application control rules inside the Global Domain, as well as global threat prevention rules.

Inside a global policy layer, a placeholder for domain rules appears. It represents the place in which the domain rules will be applied. Global rules can be set above and below the placeholder.

Once assign global policy occurs, all of the domain's policies get updated with the global rules. The placeholder from the global domain is seen as a "parent rule for domain policy". Its action is "domain layer", and it has a "domain layer" inside with all the local domain rules. The domain administrator can select a different domain layer, or choose to not have any domain layer at all instead of that placeholder, by clicking the pencil icon in the "action" cell.

When the gateway evaluates the rules in the local policy, if there was no match for the global rules at the top of the rulebase, it starts to evaluate the rules from the domain layer. If there was still no match for those rules, the global rules that were created below the domain layer are evaluated.

Internally, the R80 Management Server uses pointers to revisions of the global domain instead of copying the global rules as it did in R77 Management. "Reassign global policy" updates the local domain to point at the latest revision of the global domain's database.

"Reassign" also checks whether changes were made to the ordered layers in the global policy - for example, if a new ordered layer was added, it attempts to connect it with the next ordered layer in the local domain's policy.

Another concept is the ability to share a layer. A use case could be that the global administrator publishes global layers, and then the domain administrator selects them inside his domain policies the way that he desires.

View solution in original post

3 Replies
Tomer_Sole
Mentor
Mentor
‎2016-01-28 08:45 AM
Jump to solution

Multi-domain policies in R80 utilize the layers concept, in order to segregate different parts of the rulebase for different permission profiles. Since Multi-Domain is a Management server-only concept, many of its features apply for all existing Gateways without the need to upgrade them.

A global policy can be split into different ordered layers. Read all about ordered layers at Layers in R80. For Pre-R80 Gateways, this means that an administrator can add application control rules inside the Global Domain, as well as global threat prevention rules.

Inside a global policy layer, a placeholder for domain rules appears. It represents the place in which the domain rules will be applied. Global rules can be set above and below the placeholder.

Once assign global policy occurs, all of the domain's policies get updated with the global rules. The placeholder from the global domain is seen as a "parent rule for domain policy". Its action is "domain layer", and it has a "domain layer" inside with all the local domain rules. The domain administrator can select a different domain layer, or choose to not have any domain layer at all instead of that placeholder, by clicking the pencil icon in the "action" cell.

When the gateway evaluates the rules in the local policy, if there was no match for the global rules at the top of the rulebase, it starts to evaluate the rules from the domain layer. If there was still no match for those rules, the global rules that were created below the domain layer are evaluated.

Internally, the R80 Management Server uses pointers to revisions of the global domain instead of copying the global rules as it did in R77 Management. "Reassign global policy" updates the local domain to point at the latest revision of the global domain's database.

"Reassign" also checks whether changes were made to the ordered layers in the global policy - for example, if a new ordered layer was added, it attempts to connect it with the next ordered layer in the local domain's policy.

Another concept is the ability to share a layer. A use case could be that the global administrator publishes global layers, and then the domain administrator selects them inside his domain policies the way that he desires.

Matlu
MVP Silver
MVP Silver
‎2025-11-05 01:54 PM
In response to Tomer_Sole
Jump to solution

Hello @Tomer_Sole 
How can you “omit” a policy package from the Global CMA in a CMA?
For example, I need to be able to create local policies in my SEC001 (CMA) without having to do so from the Global CMA, but as I understand it, this can initially be done when you create rules under the “Domain Layer” concept, right?
Does everything within that section called “Domain Layer” represent the local rules created in a particular CMA?
Is there a way to simply work with local rules in a view where none of the global rules are visible?
Thanks for your comments.

Preview file
231 KB
0 Kudos
Duane_Toler
MVP Silver
MVP Silver
‎2025-11-05 02:27 PM
In response to Matlu
Jump to solution

The "Domain Layer" is the reserved layer "hook" where the access rules for each CMA are combined with the Global access policy layer, if you are assigning the global policy to the domains.

If you open one of your domains, and select the checkbox "Show Global Rules", you will see the Global access policy rules above and below the domain-specific rules.  You will also notice all of the domain rules start with the same rule number (rule 4 in your case).  Per domain rules are  4.1, 4.2, 4.3, etc.

This is described in the MultiDomain Security Management Admin Guide documentation.  You should read this for more understanding of how MDS operates.

https://sc1.checkpoint.com/documents/R81.20/WebAdminGuides/EN/CP_R81.20_Multi-DomainSecurityManageme...

 

--
Ansible for Check Point APIs series: https://www.youtube.com/@EdgeCaseScenario and Substack

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

View All ≫
Upcoming Events

    CheckMates Events