Global Assignments

A global assignment is a Multi-Domain Security Management system object that assigns a global configuration to one specified Domain. You create global assignments to assign different combinations of Global Access Control Policies, Global Threat Prevention Policies, and global object definitions to different Domains.

When you create a new global assignment, it automatically assigns the specified global configuration to the specified Domain. It also publishes the assignment and updates local Domain Policies.

Best Practice - When you create a new Domain, create a global assignment for that Domain at the same time.

When you do one or more of these actions, you must publish the Global Domain session and reassign the global configuration:

• Add, delete, or change rules in a global configuration

• Add, delete, or change user-defined objects in a global configuration

• Define the SmartEvent object in the global database

• Change the definition of a global assignment

The assign/reassign action does not automatically install Policies.

Best Practice - Install Policies after you assign or reassign a global assignment.

Configuring an Assignment

To create a new global assignment:

1. Connect to the Multi-Domain Server Dedicated Check Point server that runs Check Point software to host virtual Security Management Servers called Domain Management Servers. Synonym: Multi-Domain Security Management Server. Acronym: MDS. with SmartConsole Check Point GUI application used to manage a Check Point environment - configure Security Policies, configure devices, monitor products and events, install updates, and so on..

2. Go to Multi-Domain > Global Assignments.

3. Click Assign > New Assignment.

4. In the New Assignment window, select a Local Domain.

5. Optional: Select a Global Access Control Policy for this local Domain.

   You can click Advanced to open the Advanced Assignment window to assign the selected Policy:

   • Only to the specified, local Domain Policies

   • To all local Domain Policies, except for those explicitly specified

6. Optional: Select a Global Threat Prevention Policy for this local Domain.

   You can click Advanced to open the Advanced Assignment window to assign the selected Policy:

   • Only to the specified, local Domain Policies

   • To all local Domain Policies, except for those explicitly specified

7. Optional: Enable Manage protection actions.

   This option lets you change IPS Check Point Software Blade on a Security Gateway that inspects and analyzes packets and data for numerous types of risks (Intrusion Prevention System). protection actions for Security Gateways on the local Domain.

8. Click Assign.

9. In the confirmation window, click Publish & Assign.

   The system creates a task, which:

   • Updates the local Domain and its Rule Base All rules configured in a given Security Policy. Synonym: Rulebase.

   • Publishes the changes

   • Changes the assignment status to Up to Date

To change an existing global assignment:

1. Connect to the Multi-Domain Server with SmartConsole.

2. In the Global Assignments view, double-click a Domain.

3. In the Assignment window, follow steps 4-6 above.

4. Click Assign.

5. In the confirmation window, click Publish & Assign.

   The system creates a task which:

   • Updates the local Domain and its Rule Set of traffic parameters and other conditions in a Rule Base (Security Policy) that cause specified actions to be taken for a communication session. Base

   • Publish the changes

   • Changes the assignment status to Up to Date

Important - You can create a global assignment that does not include a Global Access Control and Threat Prevention Policy. To do this, select the None value to both Policy types. The global configuration assigns only the defined global objects and settings to Domains.

Reassigning

When you make changes to the global configuration items, the assignment status changes to Not up to date. The assignment status does not change if you make changes to the local Domain Policies.

To reassign global configurations:

1. Connect to the Multi-Domain Server with SmartConsole, and then click Global Assignments.

2. In the Global Assignments window, right-click one or more Domains.

   You can reassign to more than one Domain at the same time.

3. Click Reassign.

   The system creates a task which:

   • Updates the local Domain and its Rule Base

   • Publishes the changes

   • Changes the assignment status to Up to Date.

Handling Assignment Errors

Global assignments run as a task that you can monitor while you work on other tasks.

To monitor assignment/reassignment tasks:

1. In the Multi-Domain view, click the task information area.

   The Recent Tasks window opens.

2. Find the assignment task.

   If your task does not show, click Show More.

3. Click Details.

   The Assignment Task Details window shows the task progress and details.

4. If the task fails and returns an error message, correct the error, and then try to assign/reassign the global configuration again.

Some common errors include:

• Global objects with duplicate or illegal names

• Deleted global objects used in a rule

• Global rule validation errors

Deleting a Global Assignment

When you delete a global assignment, the global configuration rules and objects no longer apply to its Domain.

Best Practice - Immediately create a new global assignment so that Domain Security Gateways continue to enforce global configuration rules.

Important - You must remove global objects from all local Domain rules before you can delete a global assignment. If there is a rule that uses a global object when you try to delete a global assignment, the delete operation fails.

To delete a global assignment:

1. In the Global Assignments view, select a Domain.

2. Click the Delete icon on the Actions toolbar.

3. In the Remove window, select an assignment, and then click Remove.