The Initial Policy
|
|
Important - This section does not apply to Scalable Platforms (Maestro and Chassis). |
Until the Security Gateway
Dedicated Check Point server that runs Check Point software to inspect traffic and enforce Security Policies for connected network resources. administrator installs the Security Policy Collection of rules that control network traffic and enforce organization guidelines for data protection and access to resources with packet inspection. on the Security Gateway for the first time, security is enforced by an Initial Policy.
The Initial Policy operates by adding the predefined implied rules to the Default Filter policy.
These implied rules forbid most communication, yet allow the communication needed for the installation of the Security Policy.
The Initial Policy also protects the Security Gateway during Check Point product upgrades, when a SIC Secure Internal Communication. The Check Point proprietary mechanism with which Check Point computers that run Check Point software authenticate each other over SSL, for secure communication. This authentication is based on the certificates issued by the ICA on a Check Point Management Server. certificate is reset on the Security Gateway, or in the case of a Check Point product license expiration.
|
|
Note - During a Check Point upgrade, a SIC certificate reset, or license expiration, the Initial Policy overwrites the user-defined policy. |
The sequence of actions during boot of the Security Gateway until a Security Policy is loaded for the first time:
|
Step |
Instructions |
|---|---|
|
1 |
The Security Gateway boots up. |
|
2 |
The Security Gateway disables IP Forwarding and loads the Default Filter policy. |
|
3 |
The Security Gateway configures the interfaces. |
|
4 |
The Security Gateway services start. |
|
5 |
The Security Gateway fetches the Initial Policy from the local directory. |
|
6 |
Administrator installs the user-defined Security Policy from the Management Server |
The Security Gateway enforces the Initial Policy until administrator installs a user-defined policy.
In subsequent boots, the Security Gateway loads the user-defined policy immediately after the Default Filter policy.
There are different Initial Policies for Standalone Configuration in which the Security Gateway and the Security Management Server products are installed and configured on the same server. and distributed setups:
-
In a Standalone configuration, where the Security Management Server
Dedicated Check Point server that runs Check Point software to manage the objects and policies in a Check Point environment within a single management Domain. Synonym: Single-Domain Security Management Server. and the Security Gateway are on the same computer, the Initial Policy allows CPMI management communication only.This permits SmartConsole
Check Point GUI application used to manage a Check Point environment - configure Security Policies, configure devices, monitor products and events, install updates, and so on. clients to connect to the Security Management Server. -
In a distributed configuration, where the Security Management Server is on one computer and the Security Gateway is on a different computer, the Initial Policy:
-
Allows the cpd and fwd daemons to communicate for SIC (to establish trust) and for Policy installation.
-
Does not allow CPMI connections through the Security Gateway.
The SmartConsole is not be able to connect to the Security Management Server, if the SmartConsole must access the Security Management Server through a Security Gateway with the Initial Policy.
-