Print Download PDF Send Feedback

Previous

Next

Managing Policies

In This Section:

Working with Policy Packages

Viewing Rule Logs

Policy Installation History

SmartConsole offers a number of tools that address policy management tasks, both at the definition stage and for maintenance.

At the definition stage:

At the maintenance level:

Working with Policy Packages

A policy package is a collection of different types of policies. After installation, the Security Gateway enforces all the policies in the package. A policy package can have one or more of these policy types:

The installation process:

You can create different policy packages for different types of sites in an organization.

Example:

An organization has four sites, each with its own requirements. Each site has a different set of Software Blades installed on the Security Gateways:

Item

Security Gateway

Installed Software Blades

1

Sales California

Firewall, VPN

2

Sales Alaska

Firewall, VPN, IPS, DLP

3

Executive management

Firewall, VPN, QoS, and Mobile Access

4

Server farm

Firewall

5

Internet

 

To manage these different types of sites efficiently, you need to create three different Policy Packages. Each Package includes a combination of policy types that correspond to the Software Blades installed on the site's gateway. For example:

Creating a New Policy Package

  1. From the Menu, select Manage policies and layers.

    The Manage policies and layers window opens.

  2. Click New.

    The New Policy window opens.

  3. Enter a name for the policy package.
  4. In the General page > Policy types section, select one or more of these policy types:
    • Access Control
    • Threat Prevention
    • QoS, select Recommended or Express
    • Desktop Security

    To see the QoS, and Desktop Security policy types, enable them on one or more Gateways:

    Go to gateway editor > General Properties > Network Security tab:

    • For QoS, select QoS
    • For Desktop Security, select IPSec VPN and Policy Server
  5. On the Installation targets page, select the gateways the policy will be installed on:
    • All gateways
    • Specific gateways - For each gateway, click the [+] sign and select it from the list.

    To install Policy Packages correctly and eliminate errors, each Policy Package is associated with a set of appropriate installation targets.

  6. Click OK.
  7. Click Close.

    The new policy shows on the Security Policies page.

Adding a Policy Type to an Existing Policy Package

  1. From the Menu, select Manage policies and layers.

    The Manage policies and layers window opens.

  2. Select a policy package and click the Edit button.
  3. The New Policy package window opens.
  4. On the General > Policy types page, select the policy type to add:
    • Access Control
    • Threat Prevention
    • QoS, select Recommended or Express
    • Desktop Security
  5. Click OK.

Installing a Policy Package

  1. On the Global Toolbar, click Install Policy.

    The Install Policy window opens showing the installation targets (Security Gateways).

  2. From the Select a policy menu, select a policy package.
  3. Select one or more policy types that are available in the package.
  4. Select the Install Mode:
    • Install on each selected gateway independently - Install the policy on each target gateway independently of others, so that if the installation fails on one of them, it doesn't affect the installation on the rest of the target gateways.

      Note - If you select For Gateway clusters install on all the members, if fails do not install at all, the Security Management Server makes sure that it can install the policy on all cluster members before it begins the installation. If the policy cannot be installed on one of the members, policy installation fails for all of them.

    • Install on all selected gateways, if it fails do not install on gateways of the same version - Install the policy on all the target gateways. If the policy fails to install on one of the gateways, the policy is not installed on other target gateways.
  5. Click Install.

Installing the User Database

When you make changes to user definitions through SmartConsole, they are saved to the user database on the Security Management Server. User authentication methods and encryption keys are also saved in this database. The user database does not contain information about users defined externally to the Security Gateway (such as users in external User Directory groups), but it does contain information about the external groups themselves (for example, on which Account Unit the external group is defined). Changes to external groups take effect only after the policy is installed, or the user database is downloaded from the Security Management Server.

You must choose to install the policy or the user database, based on the changes you made:

The user database is installed on:

You can also install the user database on Security Gateways and on a remote server, such as a Log Server, from the command line interface on the Security Management Server.

To install user database from the command line interface:

On the Security Management Server, run: fwm dbload <host name>

Note - Check Point hosts that do not have active Management Software Blades do not get the user database installed on them.

Uninstalling a Policy Package

You can uninstall a policy package through a command line interface on the gateway.

To uninstall a policy package:

  1. Open a command prompt on the Security Gateway.
  2. Run: fw unloadlocal.

Warning -