Managing Policies

In This Section: Working with Policy Packages Viewing Rule Logs Policy Installation History

SmartConsole offers a number of tools that address policy management tasks, both at the definition stage and for maintenance.

At the definition stage:

• Policy Packages let you group different types of policies, to be installed together on the same installation targets.
• Predefined Installation Targets let you associate each package with a set of gateways. You do not have to repeat the gateway selection process each time you install a Policy Package.

At the maintenance level:

• Search gives versatile search capabilities for network objects and the rules in the Rule Base.
• Database version control lets you track past changes to the database.

Working with Policy Packages

A policy package is a collection of different types of policies. After installation, the Security Gateway enforces all the policies in the package. A policy package can have one or more of these policy types:

• Access Control - consists of these types of rules:
  • Firewall
  • NAT
  • Application & URL Filtering
  • Content Awareness
• QoS - Quality of Service rules for bandwidth management
• Desktop Security - the Firewall policy for endpoint computers that have the Endpoint Security VPN remote access client installed as a standalone client.
• Threat Prevention - consists of:
  • IPS - IPS protections continually updated by IPS Services
  • Anti-Bot - Detects bot-infected machines, prevents bot damage by blocking bot commands and Control (C&C) communications
  • Anti-Virus - Includes heuristic analysis, stops viruses, worms, and other malware at the gateway
  • Threat Emulation - Detects zero-day and advanced polymorphic attacks by opening suspicious files in a sandbox
  • Threat Extraction - Extracts potentially malicious content from e-mail attachments before they enter the corporate network

The installation process:

• Runs a heuristic verification on rules to make sure they are consistent and that there are no redundant rules.

  If there are verification errors, the policy is not installed. If there are verification warnings (for example, if anti-spoofing is not enabled for a Security Gateway with multiple interfaces), the policy package is installed with a warning.

• Makes sure that each of the Security Gateways enforces at least one of the rules. If none of the rules are enforced, the default drop rule is enforced.
• Distributes the user database and object database to the selected installation targets.

You can create different policy packages for different types of sites in an organization.

Example:

An organization has four sites, each with its own requirements. Each site has a different set of Software Blades installed on the Security Gateways:

Item	Security Gateway	Installed Software Blades
1	Sales California	Firewall, VPN
2	Sales Alaska	Firewall, VPN, IPS, DLP
3	Executive management	Firewall, VPN, QoS, and Mobile Access
4	Server farm	Firewall
5	Internet

To manage these different types of sites efficiently, you need to create three different Policy Packages. Each Package includes a combination of policy types that correspond to the Software Blades installed on the site's gateway. For example:

• A policy package that includes the Access Control policy type. The Access Control policy type controls the firewall, NAT, Application & URL Filtering, and Content Awareness Software Blades. This package also determines the VPN configuration.

  Install the Access Control policy package on all Security Gateways.

• A policy package that includes the QoS policy type for the QoS blade on gateway that manages bandwidth.

  Install this policy package on the executive management Gateway.

• A policy package that includes the Desktop Security Policy type for the gateway that handles Mobile Access.

  Install this policy package on the executive management Gateway.

Creating a New Policy Package

1. From the Menu, select Manage policies and layers.

   The Manage policies and layers window opens.

2. Click New.

   The New Policy window opens.

3. Enter a name for the policy package.
4. In the General page > Policy types section, select one or more of these policy types:
   • Access Control
   • Threat Prevention
   • QoS, select Recommended or Express
   • Desktop Security

   To see the QoS, and Desktop Security policy types, enable them on one or more Gateways:

   Go to gateway editor > General Properties > Network Security tab:

   • For QoS, select QoS
   • For Desktop Security, select IPSec VPN and Policy Server
5. On the Installation targets page, select the gateways the policy will be installed on:
   • All gateways
   • Specific gateways - For each gateway, click the [+] sign and select it from the list.

   To install Policy Packages correctly and eliminate errors, each Policy Package is associated with a set of appropriate installation targets.

6. Click OK.
7. Click Close.

   The new policy shows on the Security Policies page.

Adding a Policy Type to an Existing Policy Package

1. From the Menu, select Manage policies and layers.

   The Manage policies and layers window opens.

2. Select a policy package and click the Edit button.
3. The New Policy package window opens.
4. On the General > Policy types page, select the policy type to add:
   • Access Control
   • Threat Prevention
   • QoS, select Recommended or Express
   • Desktop Security
5. Click OK.

Installing a Policy Package

1. On the Global Toolbar, click Install Policy.

   The Install Policy window opens showing the installation targets (Security Gateways).

2. From the Select a policy menu, select a policy package.
3. Select one or more policy types that are available in the package.
4. Select the Install Mode:
   • Install on each selected gateway independently - Install the policy on each target gateway independently of others, so that if the installation fails on one of them, it doesn't affect the installation on the rest of the target gateways.

     Note - If you select For Gateway clusters install on all the members, if fails do not install at all, the Security Management Server makes sure that it can install the policy on all cluster members before it begins the installation. If the policy cannot be installed on one of the members, policy installation fails for all of them.

   • Install on all selected gateways, if it fails do not install on gateways of the same version - Install the policy on all the target gateways. If the policy fails to install on one of the gateways, the policy is not installed on other target gateways.
5. Click Install.

Installing the User Database

When you make changes to user definitions through SmartConsole, they are saved to the user database on the Security Management Server. User authentication methods and encryption keys are also saved in this database. The user database does not contain information about users defined externally to the Security Gateway (such as users in external User Directory groups), but it does contain information about the external groups themselves (for example, on which Account Unit the external group is defined). Changes to external groups take effect only after the policy is installed, or the user database is downloaded from the Security Management Server.

You must choose to install the policy or the user database, based on the changes you made:

• Install the policy, if you modified additional components of the Policy Package (for example, added new Security Policy rules) that are used by the installation targets
• Install the user database, if you only changed the user definitions or the administrator definitions - From the Menu, select Install Database

The user database is installed on:

• Security Gateways - during policy installation
• Check Point hosts with one or more Management Software Blades enabled - during database installation

You can also install the user database on Security Gateways and on a remote server, such as a Log Server, from the command line interface on the Security Management Server.

To install user database from the command line interface:

On the Security Management Server, run: fwm dbload <host name>

Note - Check Point hosts that do not have active Management Software Blades do not get the user database installed on them.

Uninstalling a Policy Package

You can uninstall a policy package through a command line interface on the gateway.

To uninstall a policy package:

1. Open a command prompt on the Security Gateway.
2. Run: fw unloadlocal.

Warning -

• The fw unloadlocal command prevents all traffic from passing through the Security Gateway, because it disables the IP Forwarding in the Linux kernel.
• The fw unloadlocal command removes all policies from the Security Gateway. This means that the Security Gateway accepts all incoming connections destined to all active interfaces without any filtering or protection enabled.