Global Management

In This Section: The Global Domain Global Assignments Updating IPS Protections Updating the Application & URL Filtering Database

The Global Domain

The Global Domain is a collection of rules, objects and settings shared with all Domains or with specific Domains. The system automatically creates the Global Domain when you install Multi-Domain Management. You cannot delete the Global Domain.

You organize global rules, objects and settings into global configurations. Each global configuration can include one or more of these components:

• One Global Access Control Policy - Global rules that control access to network resources. This includes rules for Firewall, Application Control, URL Filtering, and IPsec VPN. The Network Policy Layer is created automatically after installation or upgrade. You can manually create an Application or other Global Policy Layers as necessary.
• One Global Threat Prevention Policy - Global rules that prevent malware, intrusions and other threats. This includes rules for IPS, Anti-Bot, Anti-Virus, and other Threat Prevention features. The Threat Prevention Policy Layer is created automatically after installation or upgrade.
• Global Objects - System objects and configuration settings that are common to all or to specific Domains. Connect to the Global Domain with SmartConsole to create and configure global objects.

Connecting to the Global Domain

To connect to the Global Domain:

1. Connect to the Multi-Domain Server with SmartConsole.
2. In the Domains view, right-click the Global Domain, and then click Connect to Domain.

   A SmartConsole instance opens for the Global Domain.

Changing the Global Domain

This section includes basic procedures for working the contents of the Global Domain.

When connected to the Global Domain you can:

• Create, delete or change Global Access Control and Threat Prevention Policies.
• Create, delete or change rules in Global Policies.
• Create, delete or change global objects.

These activities are not supported in this release:

• Create a new Global Domain.
• Define Security Gateways as installation targets in global configuration rules. You must use local Policies to do this.

Working with Global Objects

Use global objects in global configuration rules. Global objects work much in the same way as objects in local Policy rules.

The Global Domain includes many, predefined global objects for your convenience. These default global objects are visible (read only), in the Global Domain. You cannot delete or change them.

You can create, change or delete user-defined global objects in the Global Domain only. Global objects are visible in local Domains in the read-only mode.

Important - Before you delete a global object, make sure that no global or local policy rules use this global object. This can cause errors when you reassign global configurations.

To add a new global object:

1. Connect to the Global Domain with SmartConsole.
2. Click the Objects menu, and then select an object type from the menu.

   You can also create a new global object with the Object Explorer.

3. Configure the required parameters.
4. Click OK to save the new object.

To change a user-defined global object, select it in the Object Explorer, and then change the applicable settings.

To delete a user-defined object, select it in the Object Explorer and click Delete.

Important - After you complete the global object task, assign or reassign the global configuration to the applicable Domains. This action automatically:

• Publishes the changes that were done on the Multi-Domain Server
• Updates the local Domain and its Rule Base

Working with Global Configuration Rules

This section is a general overview of the procedure for defining rules in global Policies. To learn more about Policy rules and their configuration procedures, see the R80.10 Security Management Administration Guide .

Global Policy Layers have one placeholder for local Domain rules. You can create global rules above and below this placeholder. In the local Domain Policy Layer, you define local rules in the placeholder. If there are no local Domain rules, the placeholder can be empty.

The position of rules in Domain Policy Layers defines the order in which they are enforced. It is important to put rules in the correct sequence. Global Policy Layers do not have implied rules, but implied rules can be inherited from global properties in local Domains.

Best Practice - Define a global cleanup rule in each Policy Layer.

There is no NAT Rule Base in the Global Domain and you cannot define NAT settings there. You must define NAT rules manually in Domain Policy Layers.

Workflow for global Domain Policy Layers:

1. Connect to the Multi-Domain Server with SmartConsole.
2. In the Domains view, right-click the Global Domain, and then click Connect to Domain.

   A SmartConsole instance opens for the Global Domain.

3. Select Access Control and Threat Prevention Policy Layers and configure their rules.
4. Publish your changes.
5. Go to Multi-Domain > Global Assignments, and assign the configuration to the local Domains. If you assigned the configuration before, and made changes to the Global Domain Policy, reassign the global domain configuration to the local Domains.

   The system creates a task, during which these actions occur:

   • Makes sure that all Global and local Domain Layer rules are consistent and work together correctly. For example, it makes sure that new local Policy Layers are connected to existing local Domain Policy Layers.
   • Updates the local Domain and its Rule Base.
   • Publishes the changes again.
   • Changes the assignment status to Up to Date.
6. Install Policies on the local Domains.

Sample Access Control Policy Layer

Global Access Control rules use a placeholder for local Domain rules. The position of this placeholder in the Rule Base controls the order that Security Gateways handle global and local Policy rules. For simplicity of presentation, this example shows one Global Policy Layer that has both Network and Application rules. In the real world, there are different Policy Layers for these two rule types.

Sample Global Policy Layer

No.	Name	Source	Destination	VPN	Services & Applications	Action
1	Management to Gateway traffic	Gateway objects Management	Management Gateway objects	Any	Any	Accept
2	FB & Twitter	Internal Net	Any	Any	Facebook Twitter	Drop
3	Placeholder for Domain Rules					Domain Layer
4	DMZ Notify	Internal Net	DMZ Net	Any	Any	Inform
5	Cleanup	Any	Any	Any	Any	Drop

In this example, the placeholder for local Domain rules is rule number 3. Global Domain rules 1 and 2 run before the local Domain rules. Global rule 4 and the cleanup rule run after the local Domain rules.

Each local Domain Policy includes both Global Domain Policy rules and local Domain rules that apply to its Security Gateways. Local Domain Policy rules show in a Domain Layer under a parent rule.

Sample Domain Policy Layer with Global and Local Domain Rules

No.	Name	Source	Destination	VPN	Services & Applications	Action
1	Management to Gateway traffic	Gateway objects Management	Management Gateway objects	Any	Any	Accept
2	FB & Twitter	Internal Net	Any	Any	Facebook Twitter	Drop
3	Parent Rule for Local Domain Policy
3.1	External to SD server	External Net	Host_10.10.10.11	Any	Any	Accept
3.2	Finance	Finance Top Mgmt.	Finance Dept	Any	Any	Accept
3.3	File Sharing Allowed	Any	Any	Any	Dropbox Google Docs CP Threat Cloud	Accept
4	DMZ Notify	Internal Net	DMZ Net	Any	Any	Inform
5	Cleanup	Any	Any	Any	Any	Drop

In this example, the Security Gateways handle the global configuration rules (1 and 2) and then the local Domain rules. If there is still no match in the local rules, the Security Gateways handle the last two global rules, including the cleanup rule.

Although a local Domain can define implied rules, it is a best practice to put critical global rules at the beginning of the Rule Base. Put the global cleanup rule at the end. This overrides the implicit cleanup rule and gives you flexibility to define an effective sequence for local Domain rules.

Sample Threat Prevention Policy Layer

Global Threat Prevention rules use a placeholder for local Domain rules. The position of this placeholder in the Rule Base controls the order that Security Gateways handle global and local Policy rules. The first rule that matches traffic generates the specified action.

Sample global Policy Rule Base

No.	Name	Protected Scope	Protection Site	Action	Track	Install On
1	Max Security	Portal Server Finance Server	N/A	Strict	Alert Packet Capture	Policy Targets
Global Exceptions (No Rules)
E-1.1	MS Office False Positives	Any	MS Word MS Publisher MS Excel	Detect	Log Packet Capture	Policy Targets
2	Printers & Other Devices	Peripheral Net	N/A	Basic	Log Packet Capture	Policy Targets
Global Exceptions (No Rules)
3	Parent Rule for Domain Policy			Domain Layer
4	Cleanup	Any	N/A	Optimized	Log Packet Capture	Policy Targets
Global Exceptions (No Rules)

In this example, the local Domain placeholder is rule number 3. Global Domain rules 1 and 2 run before the local Domain rules. Global Domain rule 4 is the default rule that runs after the local Domain rules.

Each Domain Policy includes both global rules and local rules that apply to its Security Gateways. Local Domain Policy rules show in a local Domain Layer under a parent rule.

Sample Domain Rule Base with global and local Domain Rules

No.	Name	Protected Scope	Protection Site	Action	Track	Install On
1	Max Security	Portal Server Finance Server	N/A	Strict	Alert Packet Capture	Policy Targets
Global Exceptions (No Rules)
E-1.1	MS Office False Positives	Any	MS Word MS Publisher MS Excel	Detect	Facebook Twitter	Policy Targets
2	Printers & Other Devices	Peripheral Net	N/A	Basic	Log Packet Capture	Policy Targets
Global Exceptions (No Rules)
3	Placeholder for Domain Policy			Domain Layer
3.1	Management Threats	Management	N/A	Optimized	Log Packet Capture	Policy Targets
3.2	Guests	Guest	N/A	Strict	Log Packet Capture	Policy Targets
4	Cleanup	Any	N/A	Optimized	Log Packet Capture	Policy Targets

This example shows Policy Layer with Global Domain rules together with the local Domain rules.

Using Layers with the Global Domain

• You create Global Access Control and Threat Prevention Policy Layers in the Global Domain. You configure Local Domain Policy Layers in the applicable local Domains.
• The Global Network Policy Layer is created automatically, but you can manually create a Global Application Layer. The Global Threat Prevention Layer is created automatically. If your policy installation targets contains pre-R80.10 gateways, the Network and Application layers are the only supported layers. Do not create more Policy Layers.
• In each Policy Layer, the position of the local Domain Policy Layer is defined by the position of its placeholder in the Rule Base. You can add global rules above or below the placeholder. You can define Threat Prevention rule exceptions for Global and local Domain Policy Layers.
• You can temporarily disable the local Domain Policy Layer. In SmartConsole for the applicable local Domain, right-click in the No. column of the placeholder, and then select Disable. The Domain Policy shows as grayed-out. To re-enable it, right-click the same cell, and select Disable again. Publish the session.

  Note - You cannot disable local Policy Layers in the Global Domain. This option is not available.

• To delete the rules from a local Domain Layer, click the pencil icon in the Action column, and select No domain rules in the local Domain. Publish the session.
• To use a different Domain Policy Layer, click the pencil icon in the Action column, and select a different Domain Policy Layer from the list. Publish the session.

Upgrade Issues

When you upgrade an R77.x or earlier Multi-Domain Server, existing Policies are converted in this manner:

• If a pre-R80.x Policy has a Global Access Control Policy with no defined rules (placeholder only), its mode is automatically set to no global Policy after an upgrade to R80.x. You can change the mode as necessary for both R80.x and pre-R80.x Policies.
• The Firewall Policy is converted into an R80.10 Network Policy Layer. Its implicit cleanup rule is set to Drop.
• The Application & URL Filtering Policy is converted to the Application Policy Layer. The implicit cleanup rule for it is set to Accept.
• If a Domain contains IPS rules, an IPS Layer is automatically created in the R80.x Threat Prevention Policy for the applicable Domain.

Policy Layers and Administrator Permissions

The use of Policy Layers lets you define granular permissions for different aspects of security management. In a typical organization, only administrators with Global Management or Superuser privileges can work with Global Policy Layers. Domain Managers or Domain Level Only administrators typically have permissions to work with specified Policy Layers in their local Domains.

Dynamic Objects and Dynamic Global Objects

Dynamic objects are "logical" network objects for which IP addresses or address ranges are not explicitly defined. You define dynamic objects in the Global Domain and use them in global configuration rules. The dynamic objects are resolved to local objects when you assign the global policy to the local Domains.

You can create dynamic objects for most object types, including Security Gateways, hosts, services, networks and groups. Use the standard global objects available in SmartConsole or create your own global objects. All dynamic objects must have the _global suffix, which identifies the objects as global.

There are two types of dynamic objects:

• Dynamic Global Network Objects - In each Domain, you define a host object with the same name as the global dynamic object. During the assignment of the global policy, the references to the global dynamic object in different rules are replaced by the reference to the local host object with the same name. The _global syntax triggers the reference replacement mechanism.
• Dynamic Objects - The dynamic object is assigned an IP at the Security Gateway level, when you assign the global configuration to a Domain and install Policies on the Security Gateways. There is no need to create a corresponding local object.

The use of dynamic objects makes it possible to create global rules with no specified network objects. This lets you create rules that are templates.

Defining Rules with Dynamic Objects

To create a new global dynamic object:

1. Connect to Global Domain SmartConsole.
2. In the Object Explorer, select New > Network Objects > Dynamic Object.
3. Select:
   • Dynamic Global Network Object - The dynamic global object is replaced by a matching Domain object,

   Or

   • Dynamic Object - The dynamic object is assigned an IP at the Security Gateway level.
4. In the New Dynamic Object window, enter a name.

   For the Dynamic Global Network Object, the name must have the suffix _global. For example, FTP_Server_global.

5. Drag the dynamic object to the applicable cells in the global Rule Base.
6. Click Publish, and then assign the Global Policy to all the applicable Domains.

To use a dynamic global network object in a local Domain rule:

1. Connect to SmartConsole for each applicable Domain.
2. In each Domain, create a local object with the same name as the Dynamic Global Network Object, with the _global suffix.

   The local object must include the applicable local parameters, such as the IP address.

When you assign the global policy to the local Domain, the local object replaces this Dynamic Global Network Object.

For Dynamic Objects, there is no need to create an equivalent local object.

Applying Global Rules to Security Gateways by Function

You can create Security Rules in Global Domain that are installed on some Security Gateways or groups of Security Gateways and not others. This way, Security Gateways with different functions on one Domain can receive different security rules for a specified function or environment. When you install global policy to a number of similarly configured Domains, the related global rules are installed to all of the related Security Gateways on each Domain.

This feature is particularly useful for enterprise deployments of Multi-Domain Management, where Domains typically represent geographic subdivisions of an enterprise. For example, an enterprise deployment may have Domains for business units in New York, Boston, and London, and each Domain is similarly configured, with a Security Gateway (or Security Gateways) to protect a DMZ, and others to protect the perimeter. This capability lets you configure the global policy so that some global security rules are installed to DMZ Security Gateways, and different rules are installed to the perimeter Security Gateways.

Note - Global security rules can be installed on Security Gateways, Edge Security Gateways, and Open Security Extension (OSE) devices.

To install a specified security rule on a specified Security Gateway or types of Security Gateways:

1. Connect to the Global Domain for the related Global Policy.
2. In the Objects Categories tree, go to New > Network Object > Dynamic Objects and select Dynamic Global Network Object.
3. Name the dynamic object, and add the suffix _global to the end of the name.
4. Create rules to be installed on Security Gateways with this function, and drag the dynamic object you created into the Install On column for each rule.
5. Launch SmartConsole for each related Domain.
6. Create a group object with the name of the dynamic object you created, including the suffix _global.

   Best Practice - While you can give a Security Gateway a name of the global dynamic object, we recommend to create a group to preserve future scalability (for instance, to include another Security Gateway with this function). We do not recommend changing the name of an existing Security Gateway to the dynamic object name.

7. Add to the group all the Security Gateways on the Domain that you want to receive these global security rules.
8. From the Multi-Domain Management view, re-assign the global policy to the related Domains.

Global Assignments

A global assignment is a Multi-Domain Management system object that assigns a global configuration to one specified Domain. You create global assignments to assign different combinations of Global Access Control Policies, Global Threat Prevention Policies, and global object definitions to different Domains.

When you create a new global assignment, it automatically assigns the specified global configuration to the specified Domain. It also publishes the assignment and updates local Domain Policies.

Best Practice - When you create a new Domain, create a global assignment for that Domain at the same time.

When you do one or more of these actions, you must publish the Global Domain session and reassign the global configuration:

• Add, delete, or change rules in a global configuration
• Add, delete, or change user-defined objects in a global configuration
• Define the SmartEvent object in the global database
• Change the definition of a global assignment

The assign/reassign action does not automatically install Policies.

Best Practice - Install Policies after you assign or reassign a global assignment.

Configuring an Assignment

To create a new global assignment:

1. Connect to the Multi-Domain Server with SmartConsole.
2. Go to Multi-Domain > Global Assignments.
3. Click Assign > New Assignment.
4. In the New Assignment window, select a Local Domain.
5. Optional: Select a Global Access Control Policy for this local Domain.

   You can click Advanced to open the Advanced Assignment window to assign the selected Policy:

   • Only to the specified, local Domain Policies
   • To all local Domain Policies, except for those explicitly specified
6. Optional: Select a Global Threat Prevention Policy for this local Domain.

   You can click Advanced to open the Advanced Assignment window to assign the selected Policy:

   • Only to the specified, local Domain Policies
   • To all local Domain Policies, except for those explicitly specified
7. Optional: Enable Manage protection actions.

   This option lets you change IPS protection actions for Security Gateways on the local Domain.

8. Click Assign.
9. In the confirmation window, click Publish & Assign.

   The system creates a task, which:

   • Updates the local Domain and its Rule Base
   • Publishes the changes
   • Changes the assignment status to Up to Date

To change an existing global assignment:

1. Connect to the Multi-Domain Server with SmartConsole.
2. In the Global Assignments view, double-click a Domain.
3. In the Assignment window, follow steps 4-6 above.
4. Click Assign.
5. In the confirmation window, click Publish & Assign.

   The system creates a task which:

   • Updates the local Domain and its Rule Base
   • Publish the changes
   • Changes the assignment status to Up to Date

Important: You can create a global assignment that does not include a Global Access Control and Threat Prevention Policy. To do this, select the None value to both Policy types. The global configuration assigns only the defined global objects and settings to Domains.

Reassigning

When you make changes to the global configuration items, the assignment status changes to Not up to date. The assignment status does not change if you make changes to the local Domain Policies.

To reassign global configurations:

1. Connect to the Multi-Domain Server with SmartConsole, and then click Global Assignments.
2. In the Global Assignments window, right-click one or more Domains.
   You can reassign to more than one Domain at the same time.
3. Click Reassign.

   The system creates a task which:

   • Updates the local Domain and its Rule Base
   • Publishes the changes
   • Changes the assignment status to Up to Date.

Handling Assignment Errors

Global assignments run as a task that you can monitor while you work on other tasks.

To monitor assignment/reassignment tasks:

1. In the Multi-Domain view, click the task information area.

   The Recent Tasks window opens.

2. Find the assignment task.

   If your task does not show, click Show More.

3. Click Details.

   The Assignment Task Details window shows the task progress and details.

4. If the task fails and returns an error message, correct the error, and then try to assign/reassign the global configuration again.

Some common errors include:

• Global objects with duplicate or illegal names
• Deleted global objects used in a rule
• Global rule validation errors

Deleting a Global Assignment

When you delete a global assignment, the global configuration rules and objects no longer apply to its Domain.

Best Practice - Immediately create a new global assignment so that Domain Security Gateways continue to enforce global configuration rules.

Important - You must remove global objects from all local Domain rules before you can delete a global assignment. If there is a rule that uses a global object when you try to delete a global assignment, the delete operation fails.

To delete a global assignment:

1. In the Global Assignments view, select a Domain.
2. Click the Delete icon on the Actions toolbar.
3. In the Remove window, select an assignment, and then click Remove.

Global Assignment Status

You can see the global assignment status in the Assignment Up to Date column, in the Multi-Domain > Global Assignments view. For each Domain, the date of the last assignment shows together with a status icon:

	Assignment is up to date - no action necessary.
	The global configuration is not assigned or the assignment is not up to date. Assign or update the global configuration as soon as possible.

Updating IPS Protections

Check Point continuously develops and improves its protections against emerging threats. You can manually update the database with latest IPS protections. You must also configure the Global Domain to automatically download contracts and other important data.

Note - Security Gateways with IPS enabled only get the updates after you install Policy.

For troubleshooting or for performance tuning, you can revert to an earlier IPS protection package.

To manually update the IPS protections:

1. Connect to the Global Domain with SmartConsole.
2. Click Security Policies > Threat Prevention.
3. In the Related Tools section, click Updates.
4. In the IPS section, click Update Now.
5. Connect to the Multi-Domain Server with SmartConsole.
6. Reassign the global configuration.

To revert to an earlier protection package:

1. Connect to the Global Domain with SmartConsole.
2. Click Security Policies > Threat Prevention.
3. In the IPS section of the Threat Prevention Updates page, click Switch to version.
4. In the window that opens, select an IPS Package Version, and click OK.
5. Connect to the Multi-Domain Server with SmartConsole.
6. Reassign the global configuration.

To make sure that Contract Downloads is enabled:

1. Connect to the global Domain with SmartConsole.
2. From the main menu, select Global Properties.
3. In the Global Properties window, click Security Management.
4. Make sure that Automatically download contracts and other important data is selected.

   This parameter is enabled by default. If it is not enabled, select it.

5. If you enabled the parameter, connect to Multi-Domain Server and reassign the global configuration.

Updating the Application & URL Filtering Database

Check Point constantly develops and improves its protections against the latest threats. You can manually update the Application & URL Filtering database with the latest applications and URLs.

To manually update the Application & URL Filtering protections:

1. Connect to the Global Domain with SmartConsole.
2. Click Security Policies > Access Control.
3. In the Related Tools section, click Updates.
4. In the Application & URL Filtering section, click Update Now.
5. Connect to the Multi-Domain Server with SmartConsole.
6. Assign or reassign the global configuration.