Policy Management

In This Section: The Need for an Effective Policy Management Tool Policy Management Overview Policy Management Considerations Creating a New Policy Package Defining the Policy Package's Installation Targets Adding a Policy to an Existing Policy Package Adding a Section Title Configuring a New Query Intersecting Queries Querying Objects Sorting Objects in the Objects List Pane Policy Packages Dividing the Rule Base into Sections using Section Titles Querying Rules Querying Network Objects Sorting the Objects Tree and the Objects List Pane Working with Policies

The Need for an Effective Policy Management Tool

As corporate structures grow in size, more network resources, machines, servers, routers etc. are deployed. It stands to reason that as the Security Policy possesses more and more network objects and logical structures (representing these entities), used in an increasing number of rules, it becomes more complex and more of a challenge for the system administrator to manage.

Because of the complexity of the Security Policy, many system administrators operate according to the "if it ain't broke, don't fix it" axiom:

• New rules are often placed in a "safe" position (e.g. at the end of the Rule Base) rather than in the most effective position.
• Obsolete rules and objects are seldom eliminated.

These practices clutter and inflate the Security Policy and the databases unnecessarily, which invariably affects the performance of the Security Policy and the ability of the system administrator to manage it properly.

A simple, seamless solution is needed to facilitate the administration and management of the Security Policy by the system administrator. This easy-to-use policy management tool needs to take into account:

• The complexity of the corporate structure, with its multiple sites and branches, each of which has its own specific corporate needs.
• The need to easily locate objects of interest.
• The need to analyze the Rule Base.

Policy Management Overview

The Security Management server provides a wide range of tools that address the various policy management tasks, both at the definition stage and at the maintenance stage:

• Policy Packages allow you to easily group different types of Policies, to be installed together on the same installation target(s).
• Predefined Installation Targets allow you to associate each Policy Package with the appropriate set of gateways. This feature frees you of the need to repeat the gateway selection process every time you install (or uninstall) the Package, with the option to easily modify the list at any given time. In addition, it minimizes the risk of installing policies on inappropriate targets.
• Section Titles allow you to visually break down your Rule Base into subjects, thereby instantly improving your orientation and ability to locate rules and objects of interest.
• Queries provide versatile search capabilities for both objects and the rules in which they are used.
• Sorting your objects in the Objects Tree and Objects List pane is a simple and quick way to locate objects. This feature is greatly facilitated by consistent use of naming and coloring conventions.

Policy Management Considerations

It is recommended to define a set of object naming and coloring conventions, which can significantly facilitate locating the object(s) you need. For example, if you use a prefix indicating the object's location (e.g. NYC_Mail_Server), you can easily group all objects by their location, by simply sorting the Object List pane's Name column. Similarly, you can implement a coloring convention that indicates which site an object belongs to, and then sort the relevant Object Tree's tab by color.

Creating a New Policy Package

1. Choose File > New from the menu.

   The New Policy Package window opens.

2. Enter the New Policy Package name. This name cannot:
   • Contain any reserved words, spaces, numbers at the beginning, or any of the following characters: %, #, ', &, *, !, @, ?, <, >, /, \, :
   • End with any of the following suffixes: .w, .pf, .W.
3. In the Include the following Policy types section, select any or all of the following policy types, to be included in the Policy Package:

• Firewall, Address Translation and Application Control and URL Filtering.
• Threat Prevention
• QoS: Traditional mode or Express mode
  • Desktop Security

  This below shows the Rule Base tabs corresponding to each policy type.

Policy Type	Rule Base Tabs Displayed
Firewall, Address Translation and Application Control and URL Filtering	Welcome, Firewall, NAT, Application Control and URL Filtering, IPS, Data Loss Prevention, Anti-Spam & Mail, Mobile Access, and IPSec VPN
Threat Prevention	Welcome, Data Loss Prevention, IPS, Anti-Bot, Anti-Virus, Anti-Spam & Mail, Mobile Access The Threat Prevention policy package cannot be added to the global policy. It is a separate policy.
QoS	Welcome, IPS, Data Loss Prevention, Anti-Spam & Mail, Mobile Access, and QoS
Desktop Security	Welcome, IPS, Data Loss Prevention, Anti-Spam & Mail, Mobile Access, and Desktop

1. Click OK to create the Policy Package.

   SmartDashboard displays the new Policy Package, consisting of the selected policy type tabs.

Defining the Policy Package's Installation Targets

1. Choose Policy > Policy Package Installation Targets... from the menu.

   The Select Policy Package Installation Targets window is displayed.

2. Choose one of the following:
   • All internal modules (the default option)
   • Specific modules, selected by moving the relevant installation targets from the Not in Installation Targets list to the In Installation Targets list.
3. Click OK.

   The selected modules will be available as installation targets whenever you install or uninstall this Policy Package.

4. To set the default state of all modules to either Selected or Not Selected, thereby facilitating the policy installation (or uninstall) process, choose Policy > Global Properties and select the appropriate setting in the Global Properties window's SmartDashboard Customization page.
5. You can further modify the installation targets as part of the installation (or uninstall) operation:
   • To modify the targets of this operation only, check the relevant modules and Policies and uncheck all others.
   • To modify the targets of all future operations as well, click Select Targets... to display the Select Installation Targets window and modify the list as needed.

Adding a Policy to an Existing Policy Package

1. Choose File > Add Policy to Package... from the menu.

   The Add Policy to Package window appears.

2. Select one or more of the available policy types (for example, QoS and Desktop Security).
3. Click OK.

Adding a Section Title

1. Select the rule above which or under which you want to add a section title.
2. Choose Rules > Add Section Title > Above or Below (respectively) from the menu.

   The Header window is displayed.

3. Specify the title of the new section and click OK.

   The new section title is displayed in the appropriate location. All rules between this title and the next title (or the end of the Rule Base) are now visually grouped together.

4. By default, the section is expanded. To hide the section's rules, collapse its title by clicking the (-) sign.
5. If the rules following this section are not preceded by their own section title, you can mark the end of this section by adding an appropriate title (e.g. "End of Alaska Rules").

Configuring a New Query

1. Display the Rule Base you wish to query (Security, Desktop Security or Web Access) and select Search>Query Rules... from the menu.

   The Rule Base Query Clause / View Policy of Gateway window is displayed.

2. Select the Column you wish to query (e.g. Destination) from the drop-down list.
3. Move the object(s) to which your query applies from Not in List to In List.
4. If you have selected more than one object, specify whether it is enough for the selected column to contain at least one of these objects (the default option), or must it contain all of them.
5. This clause searches for rules where the specified column contains either the selected objects, or other objects they belong to (e.g. groups or networks).
   • To search for rules where the specified column does not contain the selected objects, check Negate.
   • To search only for rules where the specified column contains the objects themselves (as opposed to a group of network they belong to), check Explicit.
6. To run this query clause, click Apply.

   The rules matching the query clause are displayed in the Rule Base, while all other rules are hidden.

7. To save this query clause, click Save.

   The Save Query window is displayed.

8. Specify this query's name and click OK.

   The Rule Base Queries window is displayed, showing the new query in the SmartDashboard Queries List.

Intersecting Queries

1. Display the Rule Base you wish to query (Security, Desktop Security or Web Access) and select Search>Manage Rule Queries from the menu.

   The Rule Base Queries window is displayed.

2. Select the first query you wish to run and click Apply.

   The rules matching this query are displayed in the Rule Base, while all other rules are hidden.

3. If you cannot find a relevant query on the list, you can define one now as follows:
   1. Click New...

      The Rule Base Query window is displayed.

   2. Specify the new query's Name and click New...

      The Rule Base Query Clause / View Policy of Gateway window is displayed.

   3. Define the query (see Configuring a New Query - step 2 to step 5) and click OK.

      The query is added to the Clause list.

   4. You can add new clauses to the query and use the following logical operations:
      • And, to search for rules matching all clauses
      • Or, to search for rules matching at least one of the clauses
      • Negate query, to search for the negation of these clauses
4. Select the second query you wish to run.
5. Click one of the following:
   • And, so that only rules matching both queries are displayed
   • Or, to show rules that match either one of the queries
6. Run the selected query by clicking Apply.
7. To unhide all rules, click Clear all.

Querying Objects

1. Choose Search > Query Network Objects from the menu.

   The Network Objects window is displayed, showing All network objects in your system (the default selection) in the Network objects section. Alternatively, you can narrow down the display to the relevant object type (e.g. firewall installed, Check Point QoS installed etc.).

2. In the Refined Filter section, specify the appropriate search criterion, for example:
   • To find objects whose names contain a specific string, choose Search by Name from the Refine by drop-down list, enter the string you wish to search for (you may use wildcards) and click Apply.
   • To find objects with duplicate IP addresses, choose Duplicates from the Refine by drop-down list.

   The objects that match the search criteria are displayed.

3. To find one of these objects in SmartMap, click Show.
4. To create a group consisting of the search results, click Define query results as group... and specify the new group's name in the Group Properties window.

Sorting Objects in the Objects List Pane

1. Display the Object Tree's relevant tab (e.g. Services).
2. In the Objects List pane, click the relevant column's title (e.g. Port).

   You can now easily locate the object(s) in question. For example, you can find services that are using the same port.

Policy Packages

Policy Packages allow you to address the specific needs of your organization's different sites, by creating a specific Policy Package for each type of site. The following diagram illustrates an example organization's network, consisting of four sites.

Each of these sites uses a different set of Check Point Software Blades installed on the Security Gateways:

• Servers Farm has the firewall blade installed.
• Sales Alaska and Sales California sites have both the firewall and the VPN blades installed.
• Executive Management has the firewall, VPN and QoS blades installed.

Even sites that use the same product may have very different security needs, requiring different rules in their policies.

To manage these different types of sites efficiently, you need three different Policy Packages. Each Package should include a combination of policies that correspond to the products installed on the site in question.

Accordingly, a Policy Package is composed of one or more of the following policy types, each controlling a different Check Point blade:

• A Firewall and NAT Policy, controlling Security Gateways. This Policy also determines the VPN configuration mode.
• A QoS Policy, controlling Check Point QoS gateways.
• A Desktop Security Policy, controlling SecuRemote/SecureClient machines.

Unlike the above Policies, the Security Rule Base does not apply to a specific site but to the relationship between sites. Therefore, this Rule Base is common to all sites.

The Web Access Rule Base is independent of Policy Packages, since it applies to the organization as a whole (as opposed to a specific site). Its appearance in the Rule Base pane is determined by the Global Properties settings in SmartDashboard (see the SmartDashboard Customization page of the Global Properties window).

File Operations

File operations (New, Open, Save etc.) are performed at the Policy Package level (as opposed to the single policy level).

• New allows you to either define a new Policy Package, or add a single policy to an existing Policy Package.
• Open allows you to display an existing Policy Package. The policy types included in the Policy Package determine which tabs are displayed in the Rule Base.
• Save allows you to save the entire Policy Package.
• Save As allows you to save the entire Policy Package, or to save a specific policy that is currently in focus in the Rule Base (i.e. Security and Address Translation, QoS or Desktop Security).
• Delete allows you to delete the entire Policy Package.
• Add to Policy Package allows you to add existing Policies to your Policy Package.
• Copy Policy to Package allows you to copy existing Policies to your Policy Package.

  Note - To back up a Policy Package before you modify it, use the Database Revision Control feature. Do not use File operations for backup or testing purposes, since they clutter the system with extraneous Packages. In addition, as there are multiple Packages but only one Objects Database, the saved Package may not correspond to changes in the Objects Databases.

Installation Targets

To install (and uninstall) Policy Packages correctly and eliminate errors, each Policy Package is associated with a set of appropriate installation targets. This association both eliminates the need to repeat the gateway selection process per installation, and ensures that Policy Package is not mistakenly installed on any inappropriate target.

The installation targets are defined for the whole Policy Package, thereby eliminating the need to specify them per-rule in each policy. The selected targets are automatically displayed every time you perform an Install or Uninstall operation.

You can set the Package's Policies to be either checked or unchecked by default for all installation targets (in the SmartDashboard customization page of the Global Properties window), and then modify these settings as needed per-installation.

Dividing the Rule Base into Sections using Section Titles

Section Titles enable you to visually group rules according to their subjects. For example, medium-size organizations may have a single policy for all of their sites, and use Section Titles to differentiate between the rules of each site (larger organizations with more complex Policies may prefer to use Policy Packages). Arranging rules in sections must not come at the expense of placing the most commonly matched rules at the beginning of the Rule Base.

Querying Rules

Querying rules can deepen your understanding of the policy and help you identify the most appropriate place for new rules. You can run queries on the Security, Desktop Security and Web Access Rule Bases.

A query consists of one or more clause statements. Each statement refers to the relationship between the selected object(s) and a specific column in the rule. You can apply the query to single objects, groups of objects or both. To further enhance the query, you can use the appropriate logical condition ("Negate", "And" or "Or").

Once you apply the query, only rules matching its criteria are displayed in the Rule Base. Rules that do not match the query are hidden, but remain an integral part of the policy and are included in its installation. You can refine these query results by running additional queries.

An example scenario in which Rule Base queries are useful is when a server running on host A is moved to host B. Such a change requires updating the access permissions of both hosts. To find the rules you need to change, you can run a query that searches for all rules where host A or host B appear in the Destination column.

By default, the query searches not only for rules that include these hosts, but also for rules that include networks or groups that contain them, as well as rules whose Destination is Any. Alternatively, you can search only for rules that explicitly include these objects.

Querying Network Objects

The Network Objects query allows you to find objects that match the query criteria. You can use this query tool to both control and troubleshoot object-related issues.

The query lists either All objects in your system (the default selection) or a specific type of object (e.g. firewall installed, QoS installed, Security Clusters etc.). You can refine this list using a variety of filters (e.g. Search by Name, Search by IP etc.) and use wildcards in the string you search for.

In addition to these basic searches, you can also perform more advanced queries for:

• objects whose IP address does not match their interface(s)
• duplicate IP addresses used by several objects
• objects that are not used

  Note - Objects that are used by entities defined on an LDAP server are considered by the query as "not used".

You can further benefit from the query results by defining them as a group. For example, you may wish to create a group of all Mail Servers in your system and use this group in your Rule Base. If your naming convention is to include the word "Mail" in a Mail Server's name, you can easily find these objects by showing All network objects, choosing the Search by Name filter and entering the string *Mail*. Then create a group out of the results and use it in the appropriate rule.

This group object is also available through other Check Point SmartConsoles. For example, if you are using the SmartReporter, you can include this group as the source of connections in the Email Activity report.

Sorting the Objects Tree and the Objects List Pane

The Objects Tree features a right-click Sort menu, allowing you to sort each tab by type (the default selection), name or color. This sort parameter applies to the Objects List pane as well. In addition, the Objects List pane can be sorted by clicking the relevant column's title.

Sorting can be a useful troubleshooting tool, for example:

• To easily determine which site an object belongs to, assign a different color to objects in each site and then sort the relevant Objects Tree's tab by color.
• To expose IP address duplications, display the Network Objects tab of the Objects Tree and sort the IP Address column of the Objects List pane.
• To find out which service is occupying the port you wish to use, display the Services tab of the Objects Tree and sort the Port column of the Objects List pane.

Working with Policies

A Policy Package is a set of Policies that are enforced by the Security Gateways. They can be installed or uninstalled together on selected Security Gateways. The Policy Package components include:

• Advanced Security — consisting of
  • the Firewall Rule Base
  • the Address Translation (NAT) Rule Base
  • the Users Database — the proprietary Check Point Internal User Database, containing the definitions and authentication schemes of all users defined in SmartDashboard.
  • the Objects Database — the proprietary Check Point Objects Database, containing the definitions of all network objects defined in SmartDashboard.
• QoS — the Quality of Service (Check Point QoS) Rule Base
• Desktop Security — the Desktop Security Rule Base

The installation process does the following:

1. Performs a heuristic verification on rules, to ensure they are consistent and that no rule is redundant. If there are verification errors (for example, when two of the Policy's rules are identical) the Policy is not installed. However, if there are verification warnings (for example, when anti-spoofing is not enabled for a Security Gateway with multiple interfaces), the Policy Package is installed with a warning.
2. Confirms that each of the Security Gateways on which the rule is enforced (known as the Install On objects) enforces at least one of the rules. Install On objects that do not enforce any of the rules enforce the default rule, which rejects all communications.
3. Converts the Security Policy into an Inspection Script and compiles this Script to generate an Inspection Code.
4. Distributes the Inspection Code to the selected installation targets.
5. Distributes the User and Encryption databases to the selected installation targets.

To Install a Policy Package

To install a Policy Package:

1. Display the Policy package in the Rule Base.
2. Choose Policy > Install... from the menu.

   The Install Policy window is displayed.

   Note - The Policy to be installed includes implied rules, resulting from the Global Properties settings. To view the implied rules, select View > Implied Rules from the menu.

3. Choose the installation components:
   1. Installation Targets — the VPN gateways on which the Policy is installed. By default, all internal Gateways are available for selection. Alternatively, you define specific Gateways per Policy Package through the Select Installation Targets window (accessed by clicking Select Targets...).
   2. For each installation target, choose the Policy components (Advanced Security, QoS or Desktop Security) to be installed.
   3. The installation Mode — what to do if the installation is not successful for all targets (so different targets enforce different Policies):

      - Install on each gateway independently, or

      - Install on all gateways, or on none of the gateways

   Note - If you are installing the Policy on a gateway Cluster, specify if the installation must be successful for all Cluster Members.

4. Click OK.

   The Installation Process window is displayed, allowing you to monitor the progress of the verification, compilation and installation.

   If the verification is completed with no errors and the Security Management server is able to connect to the gateway securely, the Policy installation succeeds.

   If there are verification or installation errors, the installation fails (in which case you can view the errors to find the source of the problem).

   If there are verification warnings, the installation succeeds with the exception of the component specified in the warning.

To find out which Policy is installed on each Gateway, select File > Installed Policies...

To Uninstall a Policy Package

To uninstall a Policy Package:

1. Display the Policy package in the Rule Base.
2. Choose Policy > Uninstall... from the menu.

   The Uninstall Policy window is displayed.

   Note - Uninstalling the Policy removes its implied rules as well.

3. Choose the Uninstall components.
4. Click OK.

   The Uninstall window is displayed, allowing you to monitor the progress of the operation. You are notified whether the uninstall has been completed successfully or has failed, and if so, for what reason.

Installing the User Database

The changes you make through SmartDashboard to user or administrator definitions are saved to the User Database on the Security Management server.

To provide your Check Point hosts with installed Management Software Blades with the latest user definitions, you must install the User Database on all relevant targets. Security Gateways that do not have an installed Management Software blade do not receive the User Database.

Choose one of the following options:

• Policy > Install — Choose this option if you have modified additional Policy Package components (for example, added new Security Policy rules) that are used by the installation targets.
• Policy > Install Database — Choose this option if the only changes you wish to implement are in the user or administrator definitions.

Managing Policy Versions

Policies are created by the system administrator and managed via the Security Management server. Different versions of these policies can be saved. Each version includes backups of the various databases (objects, users, Certificate Authority data, etc.). This information is zipped and saved.

The existing versions are recorded in a "Version table". This table can be viewed and the versions which are displayed can be modified. It is possible to:

• Create a Version
• Export and Import a Version
• View a Version
• Revert to a Previous Version
• Delete a Version

Versions can be created manually by the system administrator, or the system can be set to automatically create a new version every time Security Policy installation takes place.

Important - The Revision Control feature is not supported when the Security Management database contains VSX objects. You must not select the Create database version option in SmartDashboard when you install a policy.

Create a Version

A new version can be created manually by the system administrator, or the system can be set to create new versions automatically every time a new policy is installed. Each new version has the following attributes:

• the creation date
• the system administrator who initiated the new version
• the version of the software
• three editable options determined by the system administrator:
  • the name of the version
  • an additional optional comment
  • a checkbox you can select if you want to ensure that this version will not be automatically deleted (if the automatic deletion of database revisions is activated)

    Note - It is recommended to create a version before upgrading the system. This enables the administrator to back out to a functioning environment in case of problems during the upgrade operation.

Export and Import a Version

It is possible to export existing versions using the Command Line. This can be useful in order to save disk space. When the exported version is necessary, it can be imported back into the Versions table. The imported version appears in the version table as a regular maintained version.

View a Version

A saved version can be viewed in SmartDashboard. For every saved version you can view certain entities such as objects, users, rules. Various operations, such as queries can be executed on these entities.

Revert to a Previous Version

The revert operation allows you to revert to a previously saved version. Once you initiate the revert operation, the selected version overwrites the current policy. The one type of information that is not overwritten, is Certificate Authority (CA) data. For security reasons, CA data is not overwritten, but it is merged with the CA data of the current policy.

Before the revert operation is done, the system administrator can expect to receive a report on the expected outcome of the revert operation. For example, information certificates that are going to be revoked is supplied. At this point it is necessary for the system administrator to decide whether or not to continue with the revert operation. Of all the entities included in the reverted version, the user database is not automatically reverted. This is because the users database is extremely dynamic; users are added and deleted frequently. The user database is always changing regardless of the policy version. The system administrator can decide to revert to a selected Policy version, but to maintain the current users database. In this manner, the current user base is used with the restored Policy.

Delete a Version

A previously saved version can be deleted. This operation will also delete the various databases included in the policy version.

Version Configuration

Version Operations are performed via the Database Revision Control window. This window can be accessed by selecting File > Database Revision Control.

In this window you can:

• Create a new version of the current policy manually by clicking Create. When automatic deletion of database versions is activated, you can specify here whether to keep the given version to ensure that it will not be deleted automatically.
• View a saved version by clicking Action > View Version.
• Revert to a saved version by clicking Action > Restore Version.
• View the SmartWorkflow Summary of Changes report, which compares the previous policy installation with the currently pending policy installation by clicking Action > Compare Versions.
• View the properties of a selected version by clicking Properties. Certain of the version options are editable.
• Delete a selected version by clicking Delete.
• Configure settings for automatic deletion of database versions by selecting the Automatically delete old versions checkbox and clicking Configure.

Configure Automatic Deletion

You can configure how to automatically delete old database versions by selecting one of the four options:

• Delete versions older than: X versions - where X is the number of most recent versions that should be kept and all versions older than that should be deleted. The default is 50.
• Delete versions older than: X days- where X is the time period from today backwards for which all versions created during that time frame should be kept and all versions older than that should be deleted.
• Delete oldest versions when version storage exceeds: X MBytes/Percent - where X is the maximum storage (in MBs) for all database versions. Alternatively, you can enter a percentage of the total disk space. Upon reaching this limit, the oldest versions are deleted.
• Delete oldest versions when available disk space is less than: X MBytes/Percent - where X specifies the minimum allowed available free disk space in MBs or a percent value. When this limit is reached, the oldest versions are deleted.

Note - SmartWorkflow versions are not affected by this feature. They are neither counted nor deleted.

Database Revision Control and Version Upgrade

After upgrade, the DataBase revision control cannot be used to restore versions created by the previous management server. Previous versions can be opened in Read Only mode for viewing purposes only.

Version Diagnostics

The success or failure of version operations that require modification of the Versions table (such as creating, reverting to or deleting a version) are audited in the audit log of the SmartView Tracker. It is recommended to make use of these logs to ensure that operations have taken place successfully.

Saved versions require disk space. If the existing disk space is exhausted, a threshold alert is sent to the SmartView Monitor. Use this SmartConsole in order to make sure that you meet the disk space requirements needed to implement the versioning feature.

Manual versus Automatic Version Creation

It is possible to create a new version of the current policy by clicking Create in the Database Revision Control window.

Alternately, new versions can be configured to be created automatically every time a policy is installed. You can do this by selecting Create new version upon install policy operation in the Install Policy window. You can access this window by selecting Policy > Install.

Backup and Restore the Security Management server

The Backup and Restore operation exports the Security Management server environment from the Security Management server, and allows it to be imported to another machine. This other machine is a working clone of the Security Management server. It has identical functionalities and capabilities as the original Security Management server. This operation supports Operating System (OS) migration, meaning that the OS of the original, as well as the clone machines can be different.

Using the Backup and Restore feature it is possible to:

• Replace the original Security Management server with another clone Security Management server, while the original is being serviced.
• Maintain a backup of the Security Management server to be used in case of failover.
• Upgrade the Security Management server. System administrators are cautious when upgrading the Security Management server in the production environment. It is more secure to upgrade another machine, import the information from the original Security Management server in order to make a clone. Once the clone has been tested thoroughly and it is found to be fully functional, it can be integrated as the official Security Management server operating in the production environment. The imported information is upgraded prior to being integrated into the new machine so that it complies with the new and/or changed features relevant to the software version to which the Security Management server has been upgraded.