Print Download PDF Send Feedback

Previous

Next

Global Management

In This Section:

The Global Domain

Creating a Global Policy in the Global SmartConsole

Global Assignments

Updating IPS Protections

Updating the Application & URL Filtering Database

The Global Domain

The Global Domain is a collection of rules, objects and settings shared with all Domains or with specific Domains. The system automatically creates the Global Domain when you install Multi-Domain Management. You cannot delete the Global Domain.

You organize global rules, objects and settings into global configurations. Each global configuration can include one or more of these components:

Connecting to the Global Domain

To connect to the Global Domain:

  1. Connect to the Multi-Domain Server with SmartConsole.
  2. In the Domains view, right-click the Global Domain, and then click Connect to Domain.

    A SmartConsole instance opens for the Global Domain.

Changing the Global Domain

This section includes basic procedures for working the contents of the Global Domain.

When connected to the Global Domain you can:

These activities are not supported in this release:

Working with Global Objects

Use global objects in global configuration rules. Global objects work much in the same way as objects in local Policy rules.

The Global Domain includes many, predefined global objects for your convenience. These default global objects are visible (read only), in the Global Domain. You cannot delete or change them.

You can create, change or delete user-defined global objects in the Global Domain only. Global objects are visible in local Domains in the read-only mode.

Important - Before you delete a global object, make sure that no global or local policy rules use this global object. This can cause errors when you reassign global configurations.

To add a new global object:

  1. Connect to the Global Domain with SmartConsole.
  2. Click the Objects menu, and then select an object type from the menu.

    You can also create a new global object with the Object Explorer.

  3. Configure the required parameters.
  4. Click OK to save the new object.

To change a user-defined global object, select it in the Object Explorer, and then change the applicable settings.

To delete a user-defined object, select it in the Object Explorer and click Delete.

Important - After you complete the global object task, assign or reassign the global configuration to the applicable Domains. This action automatically:

Working with Global Configuration Rules

This section is a general overview of the procedure for defining rules in the Global Policies. To learn more about Policy rules and their configuration procedures, see the R80.20 Security Management Administration Guide.

Global Policy Layers have one placeholder for local Domain rules. You can create global rules above and below this placeholder. In the local Domain Policy Layer, you define local rules in the placeholder. If there are no local Domain rules, the placeholder can be empty.

The position of rules in Domain Policy Layers defines the order in which they are enforced. It is important to put rules in the correct sequence. Global Policy Layers do not have implied rules, but implied rules can be inherited from global properties in local Domains.

Best Practice - Define a global cleanup rule in each Policy Layer.

There is no NAT Rule Base in the Global Domain and you cannot define NAT settings there. You must define NAT rules manually in Domain Policy Layers.

Workflow for global Domain Policy Layers:

  1. Connect to the Multi-Domain Server with SmartConsole.
  2. In the Domains view, right-click the Global Domain, and then click Connect to Domain.

    A SmartConsole instance opens for the Global Domain.

  3. Select Access Control and Threat Prevention Policy Layers and configure their rules.
  4. Publish your changes.
  5. Go to Multi-Domain > Global Assignments, and assign the configuration to the local Domains. If you assigned the configuration before, and made changes to the Global Domain Policy, reassign the global domain configuration to the local Domains.

    The system creates a task, during which these actions occur:

    • Makes sure that all Global and local Domain Layer rules are consistent and work together correctly. For example, it makes sure that new local Policy Layers are connected to existing local Domain Policy Layers.
    • Updates the local Domain and its Rule Base.
    • Publishes the changes again.
    • Changes the assignment status to Up to Date.
  6. Install Policies on the local Domains.

Policy Presets

SmartConsole lets you create Policy Presets for better policy installation planning. A Policy Preset is a collection of Security Gateways or Policy Packages for policy installation purposes. After you define a Preset, you can install policy on all the items which are included in the Preset at the same time. You also have the option to define a policy installation schedule for a specific Preset. In a large deployment Multi-Domain Server environment, Policy Presets help you save time and manage the policy installation process more efficiently.

You can create 2 types of Policy Presets:

By Gateways - Policies are installed on all Security Gateways in the Preset. The applicable policy is installed on each Security Gateway in the Preset. A Preset can include Security Gateways from different Domains, from the same Domain, Security Gateways with different policies or identical policies.

By Policy Packages - All Policy Packages included in the Preset are installed on the Security Gateways that enforce it at the same time. Note - A Preset by Policy Packages installs policy only on Security Gateways which enforce the selected Policy Packages included in the Preset. It does not necessarily install policy on all Security Gateways in a Domain.

You can use Presets for policy installation only after you installed policy on the installation targets for the first time. Security Gateways with no policy installed on them are skipped during the installation process.

To create a Policy Preset:

  1. In the Multi-Domain view, go to Multi-Domain > Install Policy Presets > New.
  2. In Installation Targets, select one of these options:
    • By Gateways - This Policy preset is installed on the Security Gateways that you select.
    • By Policy Packages - This Policy preset is installed on the Security Gateways which enforce the selected Policy Packages.
  3. In Scheduling, you can schedule the policy installation to specific times and days.

    Note - The policy installation time is according to the SmartConsole local time zone.

  4. Publish your changes.

    You can see the next policy installation schedule in the Next Run column:

At any time, you can select a Preset and click Install Policy, regardless of the preset schedule.

The audit logs of your Preset activity show at the bottom of the Install Policy Presets page and in the Logs & Monitor view.

Note - The policy preset is installed on the Multi-Domain Server with the active global Domain. If a domain has no domain server on the Multi-Domain Server with the active global Domain, then the policy preset is not installed on this Domain.

In this example, the Global policy will not be installed on Domain 2, because Domain 2 has no server in Multi-Domain Server2.

Servers

Multi-Domain Server 1

Multi-Domain Server 2

Domains

 

 

Domain1

Domain1_Server (Active)

Domain1_Server_2 (Standby)

Domain2

Domain2_Server (Active)

No Server

Global

Standby

Active

Use Case for Install Policy Presets

You are the administrator for a corporation that has five branches, with each branch in a different city. You manage the Security Gateways from a Multi-Domain console, in which each branch is represented by a Domain. Each Domain has a mail security server. When there is a mail-related update, you must update the policy on all mail security servers (no update is required for the other Security Gateways in each Domain). How can you make the policy installation process more efficient?

Create a Preset which includes the mail security server in each Domain. After you create this Preset, each time you need to update the Policy on the mail security servers, you can select this preset for installation. This way, you do not need to search and filter for each mail security server separately.

You can also schedule the policy installation for specific days and hours, for example, in the evening hours, when there are fewer employees at work.

Sample Access Control Policy Layer

Global Access Control rules use a placeholder for local Domain rules. The position of this placeholder in the Rule Base controls the order that Security Gateways handle global and local Policy rules. For simplicity of presentation, this example shows one Global Policy Layer that has both Network and Application rules. In the real world, there are different Policy Layers for these two rule types.

Sample Global Policy Layer

No.

Name

Source

Destination

VPN

Services &
Applications

Action

1

Management to
Gateway traffic

Gateway objects

Management

Management

Gateway objects

Any

Any

Accept

2

FB & Twitter

Internal Net

Any

Any

Facebook
Twitter

Drop

3

Placeholder for Domain Rules

Domain Layer

4

DMZ Notify

Internal Net

DMZ Net

Any

Any

Inform

5

Cleanup

Any

Any

Any

Any

Drop

In this example, the placeholder for local Domain rules is rule number 3. Global Domain rules 1 and 2 run before the local Domain rules. Global rule 4 and the cleanup rule run after the local Domain rules.

Each local Domain Policy includes both Global Domain Policy rules and local Domain rules that apply to its Security Gateways. Local Domain Policy rules show in a Domain Layer under a parent rule.

Sample Domain Policy Layer with Global and Local Domain Rules

No.

Name

Source

Destination

VPN

Services &
Applications

Action

1

Management to
Gateway traffic

Gateway objects

Management

Management

Gateway objects

Any

Any

Accept

2

FB & Twitter

Internal Net

Any

Any

Facebook
Twitter

Drop

3

Parent Rule for Local Domain Policy

 

3.1

External to SD server

External Net

Host_10.10.10.11

Any

Any

Accept

3.2

Finance

Finance
Top Mgmt.

Finance Dept

Any

Any

Accept

3.3

File Sharing Allowed

Any

Any

Any

Dropbox
Google Docs
CP Threat Cloud

Accept

4

DMZ Notify

Internal Net

DMZ Net

Any

Any

Inform

5

Cleanup

Any

Any

Any

Any

Drop

In this example, the Security Gateways handle the global configuration rules (1 and 2) and then the local Domain rules. If there is still no match in the local rules, the Security Gateways handle the last two global rules, including the cleanup rule.

Although a local Domain can define implied rules, it is a best practice to put critical global rules at the beginning of the Rule Base. Put the global cleanup rule at the end. This overrides the implicit cleanup rule and gives you flexibility to define an effective sequence for local Domain rules.

Sample Threat Prevention Policy Layer

Global Threat Prevention rules use a placeholder for local Domain rules. The position of this placeholder in the Rule Base controls the order that Security Gateways handle global and local Policy rules. The first rule that matches traffic generates the specified action.

Sample global Policy Rule Base

No.

Name

Protected Scope

Protection
Site

Action

Track

Install On

1

Max Security

Portal Server
Finance Server

N/A

Strict

Alert
Packet Capture

Policy Targets

Global Exceptions (No Rules)

E-1.1

MS Office False Positives

Any

MS Word
MS Publisher
MS Excel

Detect

Log
Packet Capture

Policy Targets

2

Printers & Other Devices

Peripheral Net

N/A

Basic

Log
Packet Capture

Policy Targets

Global Exceptions (No Rules)

3

Parent Rule for Domain Policy

Domain Layer

4

Cleanup

Any

N/A

Optimized

Log
Packet Capture

Policy Targets

Global Exceptions (No Rules)

In this example, the local Domain placeholder is rule number 3. Global Domain rules 1 and 2 run before the local Domain rules. Global Domain rule 4 is the default rule that runs after the local Domain rules.

Each Domain Policy includes both global rules and local rules that apply to its Security Gateways. Local Domain Policy rules show in a local Domain Layer under a parent rule.

Sample Domain Rule Base with global and local Domain Rules

No.

Name

Protected Scope

Protection
Site

Action

Track

Install On

1

Max Security

Portal Server
Finance Server

N/A

Strict

Alert
Packet Capture

Policy Targets

Global Exceptions (No Rules)

E-1.1

MS Office False Positives

Any

MS Word
MS Publisher
MS Excel

Detect

Facebook
Twitter

Policy Targets

2

Printers & Other Devices

Peripheral Net

N/A

Basic

Log
Packet Capture

Policy Targets

Global Exceptions (No Rules)

3

Placeholder for Domain Policy

Domain Layer

3.1

Management Threats

Management

N/A

Optimized

Log
Packet Capture

Policy Targets

3.2

Guests

Guest

N/A

Strict

Log
Packet Capture

Policy Targets

4

Cleanup

Any

N/A

Optimized

Log
Packet Capture

Policy Targets

This example shows Policy Layer with Global Domain rules together with the local Domain rules.

Using Layers with the Global Domain

Upgrade Issues

When you upgrade an R77.x or earlier Multi-Domain Server, existing Policies are converted in this manner:

Policy Layers and Administrator Permissions

The use of Policy Layers lets you define granular permissions for different aspects of security management. In a typical organization, only administrators with Global Management or Superuser privileges can work with Global Policy Layers. Domain Managers or Domain Level Only administrators typically have permissions to work with specified Policy Layers in their local Domains.

Dynamic Objects and Dynamic Global Objects

Dynamic objects are "logical" network objects for which IP addresses or address ranges are not explicitly defined. You define dynamic objects in the Global Domain and use them in global configuration rules. The dynamic objects are resolved to local objects when you assign the global policy to the local Domains.

You can create dynamic objects for most object types, including Security Gateways, hosts, services, networks and groups. Use the standard global objects available in SmartConsole or create your own global objects. All dynamic objects must have the _global suffix, which identifies the objects as global.

There are two types of dynamic objects:

The use of dynamic objects makes it possible to create global rules with no specified network objects. This lets you create rules that are templates.

Defining Rules with Dynamic Objects

To create a new global dynamic object:

  1. Connect to Global Domain SmartConsole.
  2. In the Object Explorer, select New > Network Objects > Dynamic Object.
  3. Select:
    • Dynamic Global Network Object - The dynamic global object is replaced by a matching Domain object,

    Or

    • Dynamic Object - The dynamic object is assigned an IP at the Security Gateway level.
  4. In the New Dynamic Object window, enter a name.

    For the Dynamic Global Network Object, the name must have the suffix _global. For example, FTP_Server_global.

  5. Drag the dynamic object to the applicable cells in the global Rule Base.
  6. Click Publish, and then assign the Global Policy to all the applicable Domains.

To use a dynamic global network object in a local Domain rule:

  1. Connect to SmartConsole for each applicable Domain.
  2. In each Domain, create a local object with the same name as the Dynamic Global Network Object, with the _global suffix.

    The local object must include the applicable local parameters, such as the IP address.

When you assign the global policy to the local Domain, the local object replaces this Dynamic Global Network Object.

For Dynamic Objects, there is no need to create an equivalent local object.

Applying Global Rules to Security Gateways by Function

You can create Security Rules in Global Domain that are installed on some Security Gateways or groups of Security Gateways and not others. This way, Security Gateways with different functions on one Domain can receive different security rules for a specified function or environment. When you install global policy to a number of similarly configured Domains, the related global rules are installed to all of the related Security Gateways on each Domain.

This feature is particularly useful for enterprise deployments of Multi-Domain Management, where Domains typically represent geographic subdivisions of an enterprise. For example, an enterprise deployment may have Domains for business units in New York, Boston, and London, and each Domain is similarly configured, with a Security Gateway (or Security Gateways) to protect a DMZ, and others to protect the perimeter. This capability lets you configure the global policy so that some global security rules are installed to DMZ Security Gateways, and different rules are installed to the perimeter Security Gateways.

Note - Global security rules can be installed on Security Gateways, Edge Security Gateways, and Open Security Extension (OSE) devices.

To install a specified security rule on a specified Security Gateway or types of Security Gateways:

  1. Connect to the Global Domain for the related Global Policy.
  2. In the Objects Categories tree, go to New > Network Object > Dynamic Objects and select Dynamic Global Network Object.
  3. Name the dynamic object, and add the suffix _global to the end of the name.
  4. Create rules to be installed on Security Gateways with this function, and drag the dynamic object you created into the Install On column for each rule.
  5. Launch SmartConsole for each related Domain.
  6. Create a group object with the name of the dynamic object you created, including the suffix _global.

    Best Practice - While you can give a Security Gateway a name of the global dynamic object, we recommend to create a group to preserve future scalability (for instance, to include another Security Gateway with this function). We do not recommend changing the name of an existing Security Gateway to the dynamic object name.

  7. Add to the group all the Security Gateways on the Domain that you want to receive these global security rules.
  8. From the Multi-Domain Management view, re-assign the global policy to the related Domains.

Creating a Global Policy in the Global SmartConsole

You create Global Policies in the Global SmartConsole. You create Domain policies in the SmartConsole launched using the Domain Management Server. Let us consider an MSP that wants to implement a rule which blocks unwanted services at Domain sites. The Multi-Domain Management Superuser, Carol, wants to set up a rule which lets the Domain administrators decide which computers are allowed to access the Internet.

Source

Destination

VPN

Service

Action

MyRule

Any

Any
Traffic

Any

accept

After she created a Global Policy which includes this rule, she assigns and installs it to specific Domains and their Security Gateways. Each Domain administrator must create a group object with the same name as in the Domain Management Server database. This is done in SmartConsole. This way, local administrators translate the dynamic global object into sets of network object from the local database.

For details about how to use the SmartConsole, see the R80.20 Security Management Administration Guide.

These are the differences between the Domain SmartConsole and the Global SmartConsole:

Feature

Domain SmartConsole

Global SmartConsole

Rule Base

Local, applying to the Domain network only.

Global, applying to multiple networks of all Domains assigned this Global Policy.

 

Domain Security Rules and Global Rules (in Read Only mode) if the Global Policy is assigned to the Domain.

Global Rules and a place holder for Domain rules.

 

Not associated with the Domain other security policies.

Automatically added to all of the assigned security policies of Domains.

 

Each Domain policy is independent, with its own rules.

All the assigned Domain policies share the global rules.

Network Objects

Local to this network only.

Global to multiple networks of all Domains assigned this Global Policy.

Global Properties

Enabled.

Disabled (manipulations is through the Domain SmartConsole).

Saving a Security Policy

Adds the security policy to the list of Domain security policies.

Adds the Global Policy to the Global Policies database (and displays it in the Global Policies Tree of SmartConsole).

Note - You cannot use the Global SmartConsole to create Security Gateway objects. Instead, use a SmartConsole connected to a specific Domain Management Server to create these objects.

Global Assignments

A global assignment is a Multi-Domain Management system object that assigns a global configuration to one specified Domain. You create global assignments to assign different combinations of Global Access Control Policies, Global Threat Prevention Policies, and global object definitions to different Domains.

When you create a new global assignment, it automatically assigns the specified global configuration to the specified Domain. It also publishes the assignment and updates local Domain Policies.

Best Practice - When you create a new Domain, create a global assignment for that Domain at the same time.

When you do one or more of these actions, you must publish the Global Domain session and reassign the global configuration:

The assign/reassign action does not automatically install Policies.

Best Practice - Install Policies after you assign or reassign a global assignment.

Configuring an Assignment

To create a new global assignment:

  1. Connect to the Multi-Domain Server with SmartConsole.
  2. Go to Multi-Domain > Global Assignments.
  3. Click Assign > New Assignment.
  4. In the New Assignment window, select a Local Domain.
  5. Optional: Select a Global Access Control Policy for this local Domain.

    You can click Advanced to open the Advanced Assignment window to assign the selected Policy:

    • Only to the specified, local Domain Policies
    • To all local Domain Policies, except for those explicitly specified
  6. Optional: Select a Global Threat Prevention Policy for this local Domain.

    You can click Advanced to open the Advanced Assignment window to assign the selected Policy:

    • Only to the specified, local Domain Policies
    • To all local Domain Policies, except for those explicitly specified
  7. Optional: Enable Manage protection actions.

    This option lets you change IPS protection actions for Security Gateways on the local Domain.

  8. Click Assign.
  9. In the confirmation window, click Publish & Assign.

    The system creates a task, which:

    • Updates the local Domain and its Rule Base
    • Publishes the changes
    • Changes the assignment status to Up to Date

To change an existing global assignment:

  1. Connect to the Multi-Domain Server with SmartConsole.
  2. In the Global Assignments view, double-click a Domain.
  3. In the Assignment window, follow steps 4-6 above.
  4. Click Assign.
  5. In the confirmation window, click Publish & Assign.

    The system creates a task which:

    • Updates the local Domain and its Rule Base
    • Publish the changes
    • Changes the assignment status to Up to Date

Important: You can create a global assignment that does not include a Global Access Control and Threat Prevention Policy. To do this, select the None value to both Policy types. The global configuration assigns only the defined global objects and settings to Domains.

Reassigning

When you make changes to the global configuration items, the assignment status changes to Not up to date. The assignment status does not change if you make changes to the local Domain Policies.

To reassign global configurations:

  1. Connect to the Multi-Domain Server with SmartConsole, and then click Global Assignments.
  2. In the Global Assignments window, right-click one or more Domains.
    You can reassign to more than one Domain at the same time.
  3. Click Reassign.

    The system creates a task which:

    • Updates the local Domain and its Rule Base
    • Publishes the changes
    • Changes the assignment status to Up to Date.

Handling Assignment Errors

Global assignments run as a task that you can monitor while you work on other tasks.

To monitor assignment/reassignment tasks:

  1. In the Multi-Domain view, click the task information area.

    The Recent Tasks window opens.

  2. Find the assignment task.

    If your task does not show, click Show More.

  3. Click Details.

    The Assignment Task Details window shows the task progress and details.

  4. If the task fails and returns an error message, correct the error, and then try to assign/reassign the global configuration again.

Some common errors include:

Deleting a Global Assignment

When you delete a global assignment, the global configuration rules and objects no longer apply to its Domain.

Best Practice - Immediately create a new global assignment so that Domain Security Gateways continue to enforce global configuration rules.

Important - You must remove global objects from all local Domain rules before you can delete a global assignment. If there is a rule that uses a global object when you try to delete a global assignment, the delete operation fails.

To delete a global assignment:

  1. In the Global Assignments view, select a Domain.
  2. Click the Delete icon on the Actions toolbar.
  3. In the Remove window, select an assignment, and then click Remove.

Global Assignment Status

You can see the global assignment status in the Assignment Up to Date column, in the Multi-Domain > Global Assignments view. For each Domain, the date of the last assignment shows together with a status icon:

Assignment is up to date - no action necessary.

The global configuration is not assigned or the assignment is not up to date. Assign or update the global configuration as soon as possible.

Updating IPS Protections

Check Point continuously develops and improves its protections against emerging threats. You can manually update the database with latest IPS protections. You must also configure the Global Domain to automatically download contracts and other important data.

Note - Security Gateways with IPS enabled only get the updates after you install Policy.

For troubleshooting or for performance tuning, you can revert to an earlier IPS protection package.

To manually update the IPS protections:

  1. Connect to the Global Domain with SmartConsole.
  2. Click Security Policies > Threat Prevention.
  3. In the Related Tools section, click Updates.
  4. In the IPS section, click Update Now.
  5. Connect to the Multi-Domain Server with SmartConsole.
  6. Reassign the global configuration.

To revert to an earlier protection package:

  1. Connect to the Global Domain with SmartConsole.
  2. Click Security Policies > Threat Prevention.
  3. In the IPS section of the Threat Prevention Updates page, click Switch to version.
  4. In the window that opens, select an IPS Package Version, and click OK.
  5. Connect to the Multi-Domain Server with SmartConsole.
  6. Reassign the global configuration.

To make sure that Contract Downloads is enabled:

  1. In each Domain, go to the main menu > Global Properties.
  2. From the navigation tree, select Security Management.
  3. Make sure that Automatically download contracts and other important data is selected.

    This parameter is enabled by default. If it is not enabled, select it.

Updating the Application & URL Filtering Database

Check Point constantly develops and improves its protections against the latest threats. You can manually update the Application & URL Filtering database with the latest applications and URLs.

To manually update the Application & URL Filtering protections:

  1. Connect to the Global Domain with SmartConsole.
  2. Click Security Policies > Access Control.
  3. In the Related Tools section, click Updates.
  4. In the Application & URL Filtering section, click Update Now.
  5. Connect to the Multi-Domain Server with SmartConsole.
  6. Assign or reassign the global configuration.