Until the Security Gateway administrator installs the security policy on the gateway for the first time, security is enforced by an Initial Policy. The Initial Policy operates by adding the predefined implied rules to the Default Filter. These implied rules forbid most communication, yet allow the communication needed for the installation of the security policy. The Initial Policy also protects a Security Gateway during Check Point product upgrades, when a SIC certificate is reset on the Security Gateway, or in the case of a Check Point product license expiration.
Note - During a Check Point upgrade, a SIC certificate reset, or license expiration, the Initial Policy overwrites the user-defined policy.
The sequence of actions during boot of the Security Gateway until a security policy is loaded for the first time:
Step |
Description |
---|---|
1 |
The Security Gateway boots up. |
2 |
The Security Gateway disables IP Forwarding and loads the Default Filter. |
3 |
The Security Gateway configures the interfaces. |
4 |
The Security Gateway services start. |
5 |
The fetches the Initial Policy from the local directory. |
6 |
Management Server installs the user-defined security policy. |
The Security Gateway enforces the Initial Policy until administrator installs a user-defined policy. In subsequent boots, the Security Gateway loads the user-defined policy immediately after the Default Filter.
There are different Initial Policies for Standalone and distributed setups: