Global Assignments View

What can I do here?

Use this window to:

• Configure and manage Global Domains
• Assign Domain Management Servers to Global Domains
• Connect to SmartConsole for Domain Management Servers or Global Domains

Getting Here - SmartConsole for Multi-Domain Server > Multi Domain > Global Assignments

The Global Domain

The Global Domain is a collection of rules, objects and settings shared with all Domains or with specific Domains. The system automatically creates the Global Domain when you install Multi-Domain Security Management. You cannot delete the Global Domain.

You organize global rules, objects and settings into global configurations. Each global configuration can include one or more of these components:

• One Global Access Control Policy - Global rules that control access to network resources. This includes rules for Firewall, Application Control, URL Filtering, and IPsec VPN. The Network Policy Layer is created automatically after installation or upgrade. You can manually create an Application or other Global Policy Layers as necessary.
• One Global Threat Prevention Policy - Global rules that prevent malware, intrusions and other threats. This includes rules for IPS, Anti-Bot, Anti-Virus, and other Threat Prevention features. The Threat Prevention Policy Layer is created automatically after installation or upgrade.
• Global Objects - System objects and configuration settings that are common to all or to specific Domains. Connect to the Global Domain with SmartConsole to create and configure global objects.

Connecting to the Global Domain

To connect to the Global Domain:

1. Connect to the Multi-Domain Server with SmartConsole.
2. In the Domains view, right-click the Global Domain, and then click Connect to Domain.

   A SmartConsole instance opens for the Global Domain.

Changing the Global Domain

This section includes basic procedures for working the contents of the Global Domain.

When connected to the Global Domain you can:

• Create, delete or change Global Access Control and Threat Prevention Policies.
• Create, delete or change rules in Global Policies.
• Create, delete or change global objects.

These activities are not supported in this release:

• Create a new Global Domain.
• Define Security Gateways as installation targets in global configuration rules. You must use local Policies to do this.

Working with Global Configuration Rules

This section is a general overview of the procedure for defining rules in the Global Policies. To learn more about Policy rules and their configuration procedures, see the R80.30 Security Management Administration Guide.

Global Policy Layers have one placeholder for local Domain rules. You can create global rules above and below this placeholder. In the local Domain Policy Layer, you define local rules in the placeholder. If there are no local Domain rules, the placeholder can be empty.

The position of rules in Domain Policy Layers defines the order in which they are enforced. It is important to put rules in the correct sequence. Global Policy Layers do not have implied rules, but implied rules can be inherited from global properties in local Domains.

Best Practice - Define a global cleanup rule in each Policy Layer.

There is no NAT Rule Base in the Global Domain and you cannot define NAT settings there. You must define NAT rules manually in Domain Policy Layers.

Workflow for global Domain Policy Layers:

1. Connect to the Multi-Domain Server with SmartConsole.
2. In the Domains view, right-click the Global Domain, and then click Connect to Domain.

   A SmartConsole instance opens for the Global Domain.

3. Select Access Control and Threat Prevention Policy Layers and configure their rules.
4. Publish your changes.
5. Go to Multi-Domain > Global Assignments, and assign the configuration to the local Domains. If you assigned the configuration before, and made changes to the Global Domain Policy, reassign the global domain configuration to the local Domains.

   The system creates a task, during which these actions occur:

   • Makes sure that all Global and local Domain Layer rules are consistent and work together correctly. For example, it makes sure that new local Policy Layers are connected to existing local Domain Policy Layers.
   • Updates the local Domain and its Rule Base.
   • Publishes the changes again.
   • Changes the assignment status to Up to Date.
6. Install Policies on the local Domains.

Working with Global Objects

Use global objects in global configuration rules. Global objects work much in the same way as objects in local Policy rules.

The Global Domain includes many, predefined global objects for your convenience. These default global objects are visible (read only), in the Global Domain. You cannot delete or change them.

You can create, change or delete user-defined global objects in the Global Domain only. Global objects are visible in local Domains in the read-only mode.

Important - Before you delete a global object, make sure that no global or local policy rules use this global object. This can cause errors when you reassign global configurations.

To add a new global object:

1. Connect to the Global Domain with SmartConsole.
2. Click the Objects menu, and then select an object type from the menu.

   You can also create a new global object with the Object Explorer.

3. Configure the required parameters.
4. Click OK to save the new object.

To change a user-defined global object, select it in the Object Explorer, and then change the applicable settings.

To delete a user-defined object, select it in the Object Explorer and click Delete.

Important - After you complete the global object task, assign or reassign the global configuration to the applicable Domains. This action automatically:

• Publishes the changes that were done on the Multi-Domain Server
• Updates the local Domain and its Rule Base

Updating IPS Protections

Check Point continuously develops and improves its protections against emerging threats. You can manually update the database with latest IPS protections. You must also configure the Global Domain to automatically download contracts and other important data.

Note - Security Gateways with IPS enabled only get the updates after you install Policy.

For troubleshooting or for performance tuning, you can revert to an earlier IPS protection package.

To manually update the IPS protections:

1. Connect to the Global Domain with SmartConsole.
2. Click Security Policies > Threat Prevention.
3. In the Related Tools section, click Updates.
4. In the IPS section, click Update Now.
5. Connect to the Multi-Domain Server with SmartConsole.
6. Reassign the global configuration.

To revert to an earlier protection package:

1. Connect to the Global Domain with SmartConsole.
2. Click Security Policies > Threat Prevention.
3. In the IPS section of the Threat Prevention Updates page, click Switch to version.
4. In the window that opens, select an IPS Package Version, and click OK.
5. Connect to the Multi-Domain Server with SmartConsole.
6. Reassign the global configuration.

To make sure that Contract Downloads is enabled:

1. In each Domain, go to the main menu > Global Properties.
2. From the navigation tree, select Security Management.
3. Make sure that Automatically download contracts and other important data is selected.

   This parameter is enabled by default. If it is not enabled, select it.

Updating the Application and URL Filtering Database

Check Point constantly develops and improves its protections against the latest threats. You can manually update the Application and URL Filtering database with the latest applications and URLs.

To manually update the Application and URL Filtering protections:

1. Connect to the Global Domain with SmartConsole.
2. Click Security Policies > Access Control.
3. In the Related Tools section, click Updates.
4. In the Application and URL Filtering section, click Update Now.
5. Connect to the Multi-Domain Server with SmartConsole.
6. Assign or reassign the global configuration.