Policy Management

In This Section: Working with Policy Packages Viewing Rule Logs Installing and Publishing Policy Installation History Introducing Policy Layers Managing Policy Layers

SmartConsole offers a number of tools that address policy management tasks, both at the definition stage and for maintenance.

At the definition stage:

• Policy Packages let you group different types of policies, to be installed together on the same installation targets.
• Predefined Installation Targets let you associate each package with a set of gateways. You do not have to repeat the gateway selection process each time you install a Policy Package.

At the maintenance level:

• Search gives versatile search capabilities for network objects and the rules in the Rule Base.
• Database version control lets you track past changes to the database.

Working with Policy Packages

A policy package is a collection of different types of policies. After installation, the Security Gateway enforces all the policies in the package. A policy package can have one or more of these policy types:

• Access Control - consists of these types of rules:
  • Firewall
  • NAT
  • Application Control and URL Filtering
  • Data Awareness
• QoS
• Desktop Security - the Firewall policy for endpoint computers that have the Endpoint Security VPN remote access client installed as a standalone client.
• Threat Prevention - consists of:
  • IPS - IPS protections continually updated by IPS Services
  • Anti-Bot - Detects bot-infected machines, prevents bot damage by blocking bot commands and Control (C&C) communications
  • Anti-Virus - Includes heuristic analysis, stops viruses, worms, and other malware at the gateway
  • Threat Emulation - detects zero-day and advanced polymorphic attacks by opening suspicious files in a sandbox

The installation process:

• Runs a heuristic verification on rules to make sure they are consistent and that there are no redundant rules.

  If there are verification errors, the policy is not installed. If there are verification warnings (for example, if anti-spoofing is not enabled for a Security Gateway with multiple interfaces), the policy package is installed with a warning.

• Makes sure that each of the Security Gateways enforces at least one of the rules. If none of the rules are enforced, the default drop rule is enforced.
• Distributes the user database and object database to the selected installation targets.

You can create different policy packages for different types of sites in an organization.

Example:

An organization has four sites, each with its own requirements. Each site has a different set of Software Blades installed on the Security Gateways:

Item	Security Gateway	Installed Software Blades
1	Sales California	Firewall, VPN
2	Sales Alaska	Firewall, VPN, IPS, DLP
3	Executive management	Firewall, VPN, QoS, and Mobile Access
4	Server farm	Firewall
5	Internet

To manage these different types of sites efficiently, you need to create three different Policy Packages. Each Package includes a combination of policy types that correspond to the Software Blades installed on the site's gateway. For example:

• A policy package that includes the Access Control policy type. The Access Control policy type controls the firewall, NAT, Application Control and URL Filtering, and Data Awareness blades. This package also determines the VPN configuration.

  Install the Access Control policy package on all Security Gateways.

• A policy package that includes the QoS policy type for the QoS blade on gateway that manages bandwidth.

  Install this policy package on the executive management Gateway.

• A policy package that includes the Desktop Security Policy type for the gateway that handles Mobile Access.

  Install this policy package on the executive management Gateway.

Creating a New Policy Package

1. From the Menu, select Manage Policies.

   The Manage Policies window opens.

2. Click New.

   The Policy window opens.

3. Enter a name for the policy package.
4. In the General page > Policy types section, select one or more of these policy types:
   • Access Control
   • QoS, select Recommended or Express
   • Desktop Security
   • Threat Prevention
5. On the Installation targets page, select the gateways the policy will be installed on:
   • All gateways
   • Specific gateways - For each gateway, click the [+] sign and select it from the list.

   To install Policy Packages correctly and eliminate errors, each Policy Package is associated with a set of appropriate installation targets.

6. Click OK.
7. Click Close.

   The new policy shows on the Security Policies page.

Adding a Policy Type to an Existing Policy Package

1. From the Menu, select Manage Policies.

   The Manage Policies window opens.

2. Select a policy package and click the Edit button.
3. The Policy package window opens.
4. On the General > Policy types page, select the policy type to add:
   • Access Control
   • QoS, select Recommended or Express
   • Desktop Security
   • Threat Prevention
5. Click OK.

Installing a Policy Package

1. On the Global Toolbar, click Install Policy.

   The Install Policy window opens showing the installation targets (Security Gateways).

2. From the Select a policy menu, select a policy package.
3. Select one or more policy types that are available in the package.
4. Select the Install Mode:
   • Install on each selected gateway independently - Install the policy on each target gateway independently of others, so that if the installation fails on one of them, it doesn't affect the installation on the rest of the target gateways.

     Note - If you select For Gateway Clusters install on all the members, if fails do not install at all, the Security Management Server makes sure that it can install the policy on all cluster members before it begins the installation. If the policy cannot be installed on one of the members, policy installation fails for all of them.

   • Install on all selected gateways, if it fails do not install on gateways of the same version - Install the policy on all the target gateways. If the policy fails to install on one of the gateways, the policy is not installed on other target gateways.
5. Click Install.

Installing the User Database

When you make changes to user or administrator definitions through SmartConsole , they are saved to the user database on the Security Management Server. User authentication methods and encryption keys are also saved in this database. The user database does not contain information about users defined externally to the Security Gateway (such as users in external User Directory groups), but it does contain information about the external groups themselves (for example, on which Account Unit the external group is defined). Changes to external groups take effect only after the policy is installed, or the user database is downloaded from the Security Management Server.

You must choose to install the policy or the user database, based on the changes you made:

• Install the policy, if you modified additional components of the Policy Package (for example, added new Security Policy rules) that are used by the installation targets
• Install the user database, if you only changed the user definitions or the administrator definitions - From the Menu, select Install Database

The user database is installed on:

• Security Gateways - during policy installation
• Check Point hosts with one or more Management Software Blades enabled - during database installation

You can also install the user database on Security Gateways and on a remote server, such as a Log Server, from the command line interface on the Security Management Server.

To install user database from the command line interface:

On the Security Management Server, run: fwm dbload <host name>

Note: Check Point hosts that do not have active Management Software Blades do not get the user database installed on them.

Uninstalling a Policy Package

You can uninstall a policy package through a command line interface on the gateway.

To uninstall a policy package:

1. Open a command prompt on the Security Gateway.
2. Run: fw unloadlocal.

Viewing Rule Logs

You can search for the logs that are generated by a specified rule, from the Security Policy or from the Logs & Monitor > Logs tab

To see logs generated by a rule (from the Security Policy):

1. In SmartConsole, go to the Security Policies view.
2. In the Access Control Policy or Threat Prevention Policy, select a rule.
3. In the bottom pane, click one of these tabs to see:
   • Summary - Rule name, rule action, rule creation information, and the hit count. Add custom information about the rule.
   • Details (Access Control Policy only) - Details for each column. Select columns as necessary.
   • Logs - Log entries according to filter criteria - Source, Destination, Blade, Action, Service, Port, Source Port, Rule (Current rule is the default), Origin, User, or Other Fields.
   • History (Access Control Policy only) - List of rule operations in chronological order, with the information about the rule type and the administrator that made the change.

To see logs generated by a rule (by Searching the Logs):

1. In SmartConsole, go to the Security Policies view.
2. In the Access Control Policy or Threat Prevention Policy, select a rule.
3. Right-click the rule number and select Copy Rule UID.
4. In the Logs & Monitor > Logs tab, search for the logs in one of these ways:
   • Paste the Rule UID into the query search bar and press Enter.
   • For faster results, use this syntax in the query search bar:

     layer_uuid_rule_uuid:*_<UID>

     For example, paste this into the query search bar and press Enter:

     layer_uuid_rule_uuid:*_46f0ee3b-026d-45b0-b7f0-5d71f6d8eb10

Installing and Publishing

It is important to understand the differences between publishing and installing.

You must do this:	After you did this:
Publish	Opened a session in SmartConsole and made changes. The Publish operation sends all SmartConsole modifications to other administrators, and makes the changes you made in a private session public.
Install the database	Modified network objects, such as servers, users, services, or IPS profiles, but not the Rule Base. Updates are installed on management servers and log servers.
Install a policy	Changed the Rule Base. The Security Management Server installs the updated policy and the entire database on Security Gateways (even if you did not modify any network objects).

Validation Errors

The validations pane in SmartConsole shows configuration error messages. Examples of errors are object names that are not unique, and the use of objects that are not valid in the Rule Base.

To publish, you must fix the errors.

Policy Installation History

In the Installation History you can choose a Gateway, a date and time when the Policy was installed, and:

• See the revisions that were installed on the Gateway and who installed the Policy.
• See the changes that were installed and who made the changes.
• Revert to a specific version, and install the last "good" Policy.

To work with the Policy installation history:

1. In SmartConsole, go to Security Policies.
2. Select Installation History:
   • For Access Control Policy, in the Access Tools section
   • For Threat Prevention Policy, in the Threat Prevention Tools section
3. In the Gateways section, select a Gateway.
4. In the Policy Installation History section, select an installation date.
5. To see the revisions that were installed and who made them:

   Click View installed changes.

   To see the changes that were installed and who made them :

   Click View.

   To revert to a specific version of the Policy:

   Click Install specific version.

Introducing Policy Layers

To simplify Policy management, R80 organizes the policy into Policy Layers. A layer is a set of rules, or a Rule Base.

For example, when you upgrade to R80 from earlier versions:

• Gateways that have the Firewall and the Application Control Software Blades enabled will have their Access Control Policy split into two ordered layers: Network and Applications.

  When the gateway matches a rule in a layer, it starts to evaluate the rules in the next layer.

• Gateways that have the IPS and Threat Emulation Software Blades enabled will have their Threat Prevention policies split into two parallel layers: IPS and Threat Prevention.

  All layers are evaluated in parallel

For Pre-R80 Gateways, the enforcement is the same as with earlier management versions, but it looks different in the SmartConsole.

The layers concept opens more options for policy management. These include:

• Setting different view and edit permissions per layer for different administrator roles.
• Re-using a layer in different places: For example, use the same Application Control layer in different policy packages.
• Using additional benefits for Multi-Domain Security Management environments. See the Multi-Domain Security Management Administration Guide for details.

Future versions will include more options with layers, including Actions for Inline Layers.

Managing Policy Layers

You can use the Manage Layers window to work with Policy Layers. To open the Manage Layers window, select Menu > Manage Layers in SmartConsole. The Manage Layers shows:

• Layer - Layer name
• Number of Rules - Number of rules in the Layer
• Policy Package - Policy packages that use the Layer
• Mode:
  • Ordered - A Policy Layer that includes global rules and a placeholder for local, Domain rules
  • Not in use - A Policy Layer that is not used in a Policy package
• Administrator - The administrator who last changed the Layer configuration
• Created By - The administrator who created the Layer
• Date Created - Date the Layer was created
• Rule Grid - Shows the rules in the selected Layer

To create a new Policy Layer:

1. In SmartConsole, click Menu > Manage Layers.
2. Click the New icon in the upper toolbar.
3. Configure the settings in the Layer Editor window.
4. Optional: It is a best practice to share Policy Layers with other Policy packages when possible. To enable this select Multiple policies can use this layer.
5. Close the window and publish the session.

   This Policy Layer is not yet assigned to a Policy Package.

To change an existing Policy Layer configuration, right-click it in the Layer Editor, and then select Edit layer.

To export Layer rules to a .csv file:

1. In SmartConsole, click Menu > Manage Layers.

   The Manage Layers window opens.

2. Select a Layer, and then click Actions > Export.
3. Enter a path and file name.