In This Section: |
The Global Domain is a collection of rules, objects and settings shared with all Domains or with specific Domains. The system automatically creates the Global Domain when you install Multi-Domain Management. You cannot delete the Global Domain.
You organize global rules, objects and settings into global configurations. Each global configuration can include one or more of these components:
To connect to the Global Domain:
A SmartConsole instance opens for the Global Domain.
This section includes basic procedures for working the contents of the Global Domain.
When connected to the Global Domain you can:
These activities are not supported in this release:
Use global objects in global configuration rules. Global objects work much in the same way as objects in local Policy rules.
The Global Domain includes many, predefined global objects for your convenience. These default global objects are visible (read only), in the Global Domain. You cannot delete or change them.
You can create, change or delete user-defined global objects in the Global Domain only. Global objects are visible in local Domains in the read-only mode.
Important - Before you delete a global object, make sure that no global or local policy rules use this global object. This can cause errors when you reassign global configurations.
To add a new global object:
You can also create a new global object with the Object Explorer.
To change a user-defined global object, select it in the Object Explorer, and then change the applicable settings.
To delete a user-defined object, select it in the Object Explorer and click Delete.
Important - After you complete the global object task, assign or reassign the global configuration to the applicable Domains. This action automatically:
This section is a general overview of the procedure for defining rules in the Global Policies. To learn more about Policy rules and their configuration procedures, see the R80.30 Security Management Administration Guide.
Global Policy Layers have one placeholder for local Domain rules. You can create global rules above and below this placeholder. In the local Domain Policy Layer, you define local rules in the placeholder. If there are no local Domain rules, the placeholder can be empty.
The position of rules in Domain Policy Layers defines the order in which they are enforced. It is important to put rules in the correct sequence. Global Policy Layers do not have implied rules, but implied rules can be inherited from global properties in local Domains.
Best Practice - Define a global cleanup rule in each Policy Layer.
There is no NAT Rule Base in the Global Domain and you cannot define NAT settings there. You must define NAT rules manually in Domain Policy Layers.
Workflow for global Domain Policy Layers:
A SmartConsole instance opens for the Global Domain.
The system creates a task, during which these actions occur:
SmartConsole lets you create Policy Presets for better policy installation planning. A Policy Preset is a collection of Security Gateways or Policy Packages for policy installation purposes. After you define a Preset, you can install policy on all the items which are included in the Preset at the same time. You also have the option to define a policy installation schedule for a specific Preset. In a large deployment Multi-Domain Server environment, Policy Presets help you save time and manage the policy installation process more efficiently.
You can create 2 types of Policy Presets:
By Gateways - Policies are installed on all Security Gateways in the Preset. The applicable policy is installed on each Security Gateway in the Preset. A Preset can include Security Gateways from different Domains, from the same Domain, Security Gateways with different policies or identical policies.
By Policy Packages - All Policy Packages included in the Preset are installed on the Security Gateways that enforce it at the same time. Note - A Preset by Policy Packages installs policy only on Security Gateways which enforce the selected Policy Packages included in the Preset. It does not necessarily install policy on all Security Gateways in a Domain.
You can use Presets for policy installation only after you installed policy on the installation targets for the first time. Security Gateways with no policy installed on them are skipped during the installation process.
To create a Policy Preset:
Note - The policy installation time is according to the SmartConsole local time zone.
You can see the next policy installation schedule in the Next Run column:
At any time, you can select a Preset and click Install Policy, regardless of the preset schedule.
The audit logs of your Preset activity show at the bottom of the Install Policy Presets page and in the Logs & Monitor view.
Note - The policy preset is installed on the Multi-Domain Server with the active global Domain. If a domain has no domain server on the Multi-Domain Server with the active global Domain, then the policy preset is not installed on this Domain.
In this example, the Global policy will not be installed on Domain 2, because Domain 2 has no server in Multi-Domain Server2.
Servers |
Multi-Domain Server 1 |
Multi-Domain Server 2 |
---|---|---|
Domains |
|
|
Domain1 |
Domain1_Server (Active) |
Domain1_Server_2 (Standby) |
Domain2 |
Domain2_Server (Active) |
No Server |
Global |
Standby |
Active |
You are the administrator for a corporation that has five branches, with each branch in a different city. You manage the Security Gateways from a Multi-Domain console, in which each branch is represented by a Domain. Each Domain has a mail security server. When there is a mail-related update, you must update the policy on all mail security servers (no update is required for the other Security Gateways in each Domain). How can you make the policy installation process more efficient?
Create a Preset which includes the mail security server in each Domain. After you create this Preset, each time you need to update the Policy on the mail security servers, you can select this preset for installation. This way, you do not need to search and filter for each mail security server separately.
You can also schedule the policy installation for specific days and hours, for example, in the evening hours, when there are fewer employees at work.
Global Access Control rules use a placeholder for local Domain rules. The position of this placeholder in the Rule Base controls the order that Security Gateways handle global and local Policy rules. For simplicity of presentation, this example shows one Global Policy Layer that has both Network and Application rules. In the real world, there are different Policy Layers for these two rule types.
Sample Global Policy Layer
No. |
Name |
Source |
Destination |
VPN |
Services & |
Action |
---|---|---|---|---|---|---|
1 |
Management to |
Gateway objects |
Management |
Any |
Any |
Accept |
2 |
FB & Twitter |
Internal Net |
Any |
Any |
Facebook |
Drop |
3 |
Placeholder for Domain Rules |
Domain Layer |
||||
4 |
DMZ Notify |
Internal Net |
DMZ Net |
Any |
Any |
Inform |
5 |
Cleanup |
Any |
Any |
Any |
Any |
Drop |
In this example, the placeholder for local Domain rules is rule number 3. Global Domain rules 1 and 2 run before the local Domain rules. Global rule 4 and the cleanup rule run after the local Domain rules.
Each local Domain Policy includes both Global Domain Policy rules and local Domain rules that apply to its Security Gateways. Local Domain Policy rules show in a Domain Layer under a parent rule.
Sample Domain Policy Layer with Global and Local Domain Rules
No. |
Name |
Source |
Destination |
VPN |
Services & |
Action |
---|---|---|---|---|---|---|
1 |
Management to |
Gateway objects |
Management |
Any |
Any |
Accept |
2 |
FB & Twitter |
Internal Net |
Any |
Any |
Facebook |
Drop |
3 |
Parent Rule for Local Domain Policy |
|
||||
3.1 |
External to SD server |
External Net |
Host_10.10.10.11 |
Any |
Any |
Accept |
3.2 |
Finance |
Finance |
Finance Dept |
Any |
Any |
Accept |
3.3 |
File Sharing Allowed |
Any |
Any |
Any |
Dropbox |
Accept |
4 |
DMZ Notify |
Internal Net |
DMZ Net |
Any |
Any |
Inform |
5 |
Cleanup |
Any |
Any |
Any |
Any |
Drop |
In this example, the Security Gateways handle the global configuration rules (1 and 2) and then the local Domain rules. If there is still no match in the local rules, the Security Gateways handle the last two global rules, including the cleanup rule.
Although a local Domain can define implied rules, it is a best practice to put critical global rules at the beginning of the Rule Base. Put the global cleanup rule at the end. This overrides the implicit cleanup rule and gives you flexibility to define an effective sequence for local Domain rules.
Global Threat Prevention rules use a placeholder for local Domain rules. The position of this placeholder in the Rule Base controls the order that Security Gateways handle global and local Policy rules. The first rule that matches traffic generates the specified action.
Sample global Policy Rule Base
No. |
Name |
Protected Scope |
Protection |
Action |
Track |
Install On |
---|---|---|---|---|---|---|
1 |
Max Security |
Portal Server |
N/A |
Strict |
Alert |
Policy Targets |
Global Exceptions (No Rules) |
||||||
E-1.1 |
MS Office False Positives |
Any |
MS Word |
Detect |
Log |
Policy Targets |
2 |
Printers & Other Devices |
Peripheral Net |
N/A |
Basic |
Log |
Policy Targets |
Global Exceptions (No Rules) |
||||||
3 |
Parent Rule for Domain Policy |
Domain Layer |
||||
4 |
Cleanup |
Any |
N/A |
Optimized |
Log |
Policy Targets |
Global Exceptions (No Rules) |
In this example, the local Domain placeholder is rule number 3. Global Domain rules 1 and 2 run before the local Domain rules. Global Domain rule 4 is the default rule that runs after the local Domain rules.
Each Domain Policy includes both global rules and local rules that apply to its Security Gateways. Local Domain Policy rules show in a local Domain Layer under a parent rule.
Sample Domain Rule Base with global and local Domain Rules
No. |
Name |
Protected Scope |
Protection |
Action |
Track |
Install On |
---|---|---|---|---|---|---|
1 |
Max Security |
Portal Server |
N/A |
Strict |
Alert |
Policy Targets |
Global Exceptions (No Rules) |
||||||
E-1.1 |
MS Office False Positives |
Any |
MS Word |
Detect |
Facebook |
Policy Targets |
2 |
Printers & Other Devices |
Peripheral Net |
N/A |
Basic |
Log |
Policy Targets |
Global Exceptions (No Rules) |
||||||
3 |
Placeholder for Domain Policy |
Domain Layer |
||||
3.1 |
Management Threats |
Management |
N/A |
Optimized |
Log |
Policy Targets |
3.2 |
Guests |
Guest |
N/A |
Strict |
Log |
Policy Targets |
4 |
Cleanup |
Any |
N/A |
Optimized |
Log |
Policy Targets |
This example shows Policy Layer with Global Domain rules together with the local Domain rules.
Note - You cannot disable local Policy Layers in the Global Domain. This option is not available.
When you upgrade an R77.x or earlier Multi-Domain Server, existing Policies are converted in this manner:
The use of Policy Layers lets you define granular permissions for different aspects of security management. In a typical organization, only administrators with Global Management or Superuser privileges can work with Global Policy Layers. Domain Managers or Domain Level Only administrators typically have permissions to work with specified Policy Layers in their local Domains.
Dynamic objects are "logical" network objects for which IP addresses or address ranges are not explicitly defined. You define dynamic objects in the Global Domain and use them in global configuration rules. The dynamic objects are resolved to local objects when you assign the global policy to the local Domains.
You can create dynamic objects for most object types, including Security Gateways, hosts, services, networks and groups. Use the standard global objects available in SmartConsole or create your own global objects. All dynamic objects must have the _global
suffix, which identifies the objects as global.
There are two types of dynamic objects:
The use of dynamic objects makes it possible to create global rules with no specified network objects. This lets you create rules that are templates.
To create a new global dynamic object:
Or
For the Dynamic Global Network Object, the name must have the suffix _global
. For example, FTP_Server_global
.
To use a dynamic global network object in a local Domain rule:
_global
suffix.The local object must include the applicable local parameters, such as the IP address.
When you assign the global policy to the local Domain, the local object replaces this Dynamic Global Network Object.
For Dynamic Objects, there is no need to create an equivalent local object.
You can create Security Rules in Global Domain that are installed on some Security Gateways or groups of Security Gateways and not others. This way, Security Gateways with different functions on one Domain can receive different security rules for a specified function or environment. When you install global policy to a number of similarly configured Domains, the related global rules are installed to all of the related Security Gateways on each Domain.
This feature is particularly useful for enterprise deployments of Multi-Domain Management, where Domains typically represent geographic subdivisions of an enterprise. For example, an enterprise deployment may have Domains for business units in New York, Boston, and London, and each Domain is similarly configured, with a Security Gateway (or Security Gateways) to protect a DMZ, and others to protect the perimeter. This capability lets you configure the global policy so that some global security rules are installed to DMZ Security Gateways, and different rules are installed to the perimeter Security Gateways.
Note - Global security rules can be installed on Security Gateways, Edge Security Gateways, and Open Security Extension (OSE) devices. |
To install a specified security rule on a specified Security Gateway or types of Security Gateways:
_global
to the end of the name._global
.Best Practice - While you can give a Security Gateway a name of the global dynamic object, we recommend to create a group to preserve future scalability (for instance, to include another Security Gateway with this function). We do not recommend changing the name of an existing Security Gateway to the dynamic object name.
You create Global Policies in the Global SmartConsole. You create Domain policies in the SmartConsole launched using the Domain Management Server. Let us consider an MSP that wants to implement a rule which blocks unwanted services at Domain sites. The Multi-Domain Management Superuser, Carol, wants to set up a rule which lets the Domain administrators decide which computers are allowed to access the Internet.
Source |
Destination |
VPN |
Service |
Action |
---|---|---|---|---|
MyRule |
Any |
Any |
Any |
accept |
After she created a Global Policy which includes this rule, she assigns and installs it to specific Domains and their Security Gateways. Each Domain administrator must create a group object with the same name as in the Domain Management Server database. This is done in SmartConsole. This way, local administrators translate the dynamic global object into sets of network object from the local database.
For details about how to use the SmartConsole, see the R80.30 Security Management Administration Guide.
These are the differences between the Domain SmartConsole and the Global SmartConsole:
Feature |
Domain SmartConsole |
Global SmartConsole |
Rule Base |
Local, applying to the Domain network only. |
Global, applying to multiple networks of all Domains assigned this Global Policy. |
|
Domain Security Rules and Global Rules (in Read Only mode) if the Global Policy is assigned to the Domain. |
Global Rules and a place holder for Domain rules. |
|
Not associated with the Domain other security policies. |
Automatically added to all of the assigned security policies of Domains. |
|
Each Domain policy is independent, with its own rules. |
All the assigned Domain policies share the global rules. |
Network Objects |
Local to this network only. |
Global to multiple networks of all Domains assigned this Global Policy. |
Global Properties |
Enabled. |
Disabled (manipulations is through the Domain SmartConsole). |
Saving a Security Policy |
Adds the security policy to the list of Domain security policies. |
Adds the Global Policy to the Global Policies database (and displays it in the Global Policies Tree of SmartConsole). |
Note - You cannot use the Global SmartConsole to create Security Gateway objects. Instead, use a SmartConsole connected to a specific Domain Management Server to create these objects.
A global assignment is a Multi-Domain Management system object that assigns a global configuration to one specified Domain. You create global assignments to assign different combinations of Global Access Control Policies, Global Threat Prevention Policies, and global object definitions to different Domains.
When you create a new global assignment, it automatically assigns the specified global configuration to the specified Domain. It also publishes the assignment and updates local Domain Policies.
Best Practice - When you create a new Domain, create a global assignment for that Domain at the same time.
When you do one or more of these actions, you must publish the Global Domain session and reassign the global configuration:
The assign/reassign action does not automatically install Policies.
Best Practice - Install Policies after you assign or reassign a global assignment.
To create a new global assignment:
You can click Advanced to open the Advanced Assignment window to assign the selected Policy:
You can click Advanced to open the Advanced Assignment window to assign the selected Policy:
This option lets you change IPS protection actions for Security Gateways on the local Domain.
The system creates a task, which:
To change an existing global assignment:
The system creates a task which:
Important: You can create a global assignment that does not include a Global Access Control and Threat Prevention Policy. To do this, select the None value to both Policy types. The global configuration assigns only the defined global objects and settings to Domains.
When you make changes to the global configuration items, the assignment status changes to Not up to date. The assignment status does not change if you make changes to the local Domain Policies.
To reassign global configurations:
The system creates a task which:
Global assignments run as a task that you can monitor while you work on other tasks.
To monitor assignment/reassignment tasks:
The Recent Tasks window opens.
If your task does not show, click Show More.
The Assignment Task Details window shows the task progress and details.
Some common errors include:
When you delete a global assignment, the global configuration rules and objects no longer apply to its Domain.
Best Practice - Immediately create a new global assignment so that Domain Security Gateways continue to enforce global configuration rules.
Important - You must remove global objects from all local Domain rules before you can delete a global assignment. If there is a rule that uses a global object when you try to delete a global assignment, the delete operation fails. |
To delete a global assignment:
You can see the global assignment status in the Assignment Up to Date column, in the Multi-Domain > Global Assignments view. For each Domain, the date of the last assignment shows together with a status icon:
Assignment is up to date - no action necessary. |
|
The global configuration is not assigned or the assignment is not up to date. Assign or update the global configuration as soon as possible. |
Check Point continuously develops and improves its protections against emerging threats. You can manually update the database with latest IPS protections. You must also configure the Global Domain to automatically download contracts and other important data.
Note - Security Gateways with IPS enabled only get the updates after you install Policy.
For troubleshooting or for performance tuning, you can revert to an earlier IPS protection package.
To manually update the IPS protections:
To revert to an earlier protection package:
To make sure that Contract Downloads is enabled:
This parameter is enabled by default. If it is not enabled, select it.
Check Point constantly develops and improves its protections against the latest threats. You can manually update the Application & URL Filtering database with the latest applications and URLs.
To manually update the Application & URL Filtering protections: