In This Section: |
SmartConsole offers a number of tools that address policy management tasks, both at the definition stage and for maintenance.
At the definition stage:
At the maintenance level:
A policy package is a collection of different types of policies. After installation, the Security Gateway enforces all the policies in the package. A policy package can have one or more of these policy types:
The installation process:
If there are verification errors, the policy is not installed. If there are verification warnings (for example, if anti-spoofing is not enabled for a Security Gateway with multiple interfaces), the policy package is installed with a warning.
You can create different policy packages for different types of sites in an organization.
Example:
An organization has four sites, each with its own requirements. Each site has a different set of Software Blades installed on the Security Gateways:
Item |
Security Gateway |
Installed Software Blades |
---|---|---|
1 |
Sales California |
Firewall, VPN |
2 |
Sales Alaska |
Firewall, VPN, IPS, DLP |
3 |
Executive management |
Firewall, VPN, QoS, and Mobile Access |
4 |
Server farm |
Firewall |
5 |
Internet |
|
To manage these different types of sites efficiently, you need to create three different Policy Packages. Each Package includes a combination of policy types that correspond to the Software Blades installed on the site's gateway. For example:
Install the Access Control policy package on all Security Gateways.
Install this policy package on the executive management Gateway.
Install this policy package on the executive management Gateway.
The Manage Policies window opens.
The Policy window opens.
To install Policy Packages correctly and eliminate errors, each Policy Package is associated with a set of appropriate installation targets.
The new policy shows on the Security Policies page.
The Manage Policies window opens.
The Install Policy window opens showing the installation targets (Security Gateways).
Note - If you select For Gateway Clusters install on all the members, if fails do not install at all, the Security Management Server makes sure that it can install the policy on all cluster members before it begins the installation. If the policy cannot be installed on one of the members, policy installation fails for all of them.
When you make changes to user or administrator definitions through SmartConsole , they are saved to the user database on the Security Management Server. User authentication methods and encryption keys are also saved in this database. The user database does not contain information about users defined externally to the Security Gateway (such as users in external User Directory groups), but it does contain information about the external groups themselves (for example, on which Account Unit the external group is defined). Changes to external groups take effect only after the policy is installed, or the user database is downloaded from the Security Management Server.
You must choose to install the policy or the user database, based on the changes you made:
The user database is installed on:
You can also install the user database on Security Gateways and on a remote server, such as a Log Server, from the command line interface on the Security Management Server.
To install user database from the command line interface:
On the Security Management Server, run: fwm dbload <host name>
Note: Check Point hosts that do not have active Management Software Blades do not get the user database installed on them.
You can uninstall a policy package through a command line interface on the gateway.
To uninstall a policy package:
fw unloadlocal
.You can search for the logs that are generated by a specified rule, from the Security Policy or from the Logs & Monitor > Logs tab
To see logs generated by a rule (from the Security Policy):
To see logs generated by a rule (by Searching the Logs):
layer_uuid_rule_uuid:*_<UID>
For example, paste this into the query search bar and press Enter:
layer_uuid_rule_uuid:*_46f0ee3b-026d-45b0-b7f0-5d71f6d8eb10
It is important to understand the differences between publishing and installing.
You must do this: |
After you did this: |
---|---|
Publish |
Opened a session in SmartConsole and made changes. The Publish operation sends all SmartConsole modifications to other administrators, and makes the changes you made in a private session public. |
Install the database |
Modified network objects, such as servers, users, services, or IPS profiles, but not the Rule Base. Updates are installed on management servers and log servers. |
Install a policy |
Changed the Rule Base. The Security Management Server installs the updated policy and the entire database on Security Gateways (even if you did not modify any network objects). |
The validations pane in SmartConsole shows configuration error messages. Examples of errors are object names that are not unique, and the use of objects that are not valid in the Rule Base.
To publish, you must fix the errors.
In the Installation History you can choose a Gateway, a date and time when the Policy was installed, and:
To work with the Policy installation history:
Click View installed changes.
To see the changes that were installed and who made them :
Click View.
To revert to a specific version of the Policy:
Click Install specific version.
To simplify Policy management, R80 organizes the policy into Policy Layers. A layer is a set of rules, or a Rule Base.
For example, when you upgrade to R80 from earlier versions:
When the gateway matches a rule in a layer, it starts to evaluate the rules in the next layer.
All layers are evaluated in parallel
For Pre-R80 Gateways, the enforcement is the same as with earlier management versions, but it looks different in the SmartConsole.
The layers concept opens more options for policy management. These include:
Future versions will include more options with layers, including Actions for Inline Layers.
You can use the Manage Layers window to work with Policy Layers. To open the Manage Layers window, select Menu > Manage Layers in SmartConsole. The Manage Layers shows:
To create a new Policy Layer:
This Policy Layer is not yet assigned to a Policy Package.
To change an existing Policy Layer configuration, right-click it in the Layer Editor, and then select Edit layer.
To export Layer rules to a .csv file:
The Manage Layers window opens.