Working with Policy Packages

A policy package is a collection of different types of policies. After installation, the Security Gateway Dedicated Check Point server that runs Check Point software to inspect traffic and enforce Security Policies for connected network resources. enforces all the policies in the package. A policy package can have one or more of these policy types:

Access Control - consists of these types of rules:
QoS - Quality of Service rules for bandwidth management
Desktop Security - the Firewall policy for endpoint computers that have the Endpoint Security VPN remote access client installed as a standalone Configuration in which the Security Gateway and the Security Management Server products are installed and configured on the same server. client.
Threat Prevention - consists of:
- IPS Check Point Software Blade on a Security Gateway that inspects and analyzes packets and data for numerous types of risks (Intrusion Prevention System). - IPS protections continually updated by IPS Services
- Anti-Bot Check Point Software Blade on a Security Gateway that blocks botnet behavior and communication to Command and Control (C&C) centers. Acronyms: AB, ABOT. - Detects bot-infected machines, prevents bot damage by blocking bot commands and Control (C&C) communications
- Anti-Virus Check Point Software Blade on a Security Gateway that uses real-time virus signatures and anomaly-based protections from ThreatCloud to detect and block malware at the Security Gateway before users are affected. Acronym: AV. - Includes heuristic analysis, stops viruses, worms, and other malware at the gateway
- Threat Emulation Check Point Software Blade on a Security Gateway that monitors the behavior of files in a sandbox to determine whether or not they are malicious. Acronym: TE. - Detects zero-day and advanced polymorphic attacks by opening suspicious files in a sandbox
- Threat Extraction Check Point Software Blade on a Security Gateway that removes malicious content from files. Acronym: TEX.- Extracts potentially malicious content from e-mail attachments before they enter the corporate network
HTTPS Inspection - Consists of rules to inspect traffic encrypted by the Transport Layer Security (TLS) protocol between internal browser clients and web servers.

Important - Legacy SmartDashboard Legacy Check Point GUI client used to create and manage the security settings in versions R77.30 and lower. In versions R80.X and higher is still used to configure specific legacy settings. does not show the QoS Check Point Software Blade on a Security Gateway that provides policy-based traffic bandwidth management to prioritize business-critical traffic and guarantee bandwidth and control latency. and Desktop policies when an administrator with read-only permissions is logged in, and the "Desktop Security policy Collection of rules that control network traffic and enforce organization guidelines for data protection and access to resources with packet inspection.y is enabled in the policy package.

The installation process:

Runs a heuristic verification on rules to make sure they are consistent and that there are no redundant rules.

If there are verification errors, the policy is not installed. If there are verification warnings (for example, if anti-spoofing is not enabled for a Security Gateway with multiple interfaces), the policy package is installed with a warning.
Makes sure that each of the Security Gateways enforces at least one of the rules. If none of the rules are enforced, the default drop rule Set of traffic parameters and other conditions in a Rule Base (Security Policy) that cause specified actions to be taken for a communication session. is enforced.
Distributes the user database and object database to the selected installation targets.

You can create different policy packages for different types of sites in an organization.

Example

An organization has four sites, each with its own requirements. Each site has a different set of Software Blades installed on the Security Gateways:

Item	Security Gateway	Installed Software Blades
1	Sales California	Firewall, VPN
2	Sales Alaska	Firewall, VPN, IPS, DLP
3	Executive management	Firewall, VPN, QoS, and Mobile Access Check Point Software Blade on a Security Gateway that provides a Remote Access VPN access for managed and unmanaged clients. Acronym: MAB.
4	Server farm	Firewall
5	Internet

To manage these different types of sites efficiently, you need to create three different Policy Packages . Each Package includes a combination of policy types that correspond to the Software Blades installed on the site's Security Gateway. For example:

A policy package that includes the Access Control policy type. The Access Control policy type controls the firewall, NAT, Application & URL Filtering, and Content Awareness Software Blades. This package also determines the VPN configuration.

Install the Access Control policy package on all Security Gateways.
A policy package that includes the QoS policy type for the QoS blade on Security Gateway that manages bandwidth.

Install this policy package on the executive management Security Gateway.
A policy package that includes the Desktop Security Policy type for the Security Gateway that handles Mobile Access.

Install this policy package on the executive management Security Gateway.

Creating a New Policy Package

From the Menu, select Manage policies and layers.

The Manage policies and layers window opens.
Click New.

The New Policy window opens.
Enter a name for the policy package.
In the General page > Policy types section, select one or more of these policy types:
- Access Control & HTTPS Inspection
- Threat Prevention
- QoS, select Recommended or Express
- Desktop Security
To see the QoS, and Desktop Security policy types, enable them on one or more Gateways:

Go to gateway editor > General Properties > Network Security tab:
- For QoS, select QoS
- For Desktop Security, select IPSec VPN and Policy Server Pol
On the Installation targets page, select the gateways the policy will be installed on:
- All gateways
- Specific gateways - For each gateway, click the [+] sign and select it from the list.
To install Policy Packages correctly and eliminate errors, each Policy Package Collection of different types of Security Policies, such as Access Control, Threat Prevention, QoS, and Desktop Security. After installation, Security Gateways enforce all Policies in the Policy Package. is associated with a set of appropriate installation targets.
Click OK.
Click Close.

The new policy shows on the Security Policies page.

Installing a Policy Package

On the Global Toolbar, click Install Policy.

The Install Policy window opens and shows the installation targets (Security Gateways).
From the Select a policy menu, select a policy package.
Select one or more policy types that are available in the package.
Select the Install Mode:
- Install on each selected gateway independently - Install the policy on each target gateway independently of others, so that if the installation fails on one of them, it doesn't affect the installation on the rest of the target gateways.
  
  Note - If you select For Gateway clusters install on all the members, if fails do not install at all, the Security Management Server Dedicated Check Point server that runs Check Point software to manage the objects and policies in a Check Point environment within a single management Domain. Synonym: Single-Domain Security Management Server. makes sure that it can install the policy on all cluster Two or more Security Gateways that work together in a redundant configuration - High Availability, or Load Sharing. members before it begins the installation. If the policy cannot be installed on one of the members, policy installation fails for all of them.
- Install on all selected gateways, if it fails do not install on gateways of the same version - Install the policy on all the target gateways. If the policy fails to install on one of the gateways, the policy is not installed on other target gateways.
Click Install.

Installing the User Database

When you make changes to user definitions through SmartConsole Check Point GUI application used to manage a Check Point environment - configure Security Policies, configure devices, monitor products and events, install updates, and so on., they are saved to the user database on the Security Management Server Check Point Single-Domain Security Management Server or a Multi-Domain Security Management Server.. User authentication methods and encryption keys are also saved in this database. The user database does not contain information about users defined externally to the Security Gateway (such as users in external User Directory Check Point Software Blade on a Management Server that integrates LDAP and other external user management servers with Check Point products and security solutions. groups), but it does contain information about the external groups themselves (for example, on which Account Unit the external group is defined). Changes to external groups take effect only after the policy is installed, or the user database is downloaded from the Security Management Server.

You must choose to install the policy or the user database, based on the changes you made:

Install the policy, if you modified additional components of the Policy Package (for example, added new Security Policy rules) that are used by the installation targets
Install the user database, if you only changed the user definitions or the administrator definitions - from the Menu, select Install Database

The user database is installed on:

Security Gateways - during policy installation
Check Point hosts with one or more Management Software Blades enabled - during database installation

You can also install the user database on Security Gateways and on a remote server, such as a Log Server Dedicated Check Point server that runs Check Point software to store and process logs., from the command line interface on the Security Management Server.

To install user database from the command line interface:

On the Security Management Server, run in the Expert mode:

fwm dbload <Main IP address of Name of Security Gateway Object>

For more information, see the R81 CLI Reference Guide - Chapter Security Management Server Commands - Section fwm - Sub-section fwm dbload.

Note - Check Point hosts that do not have active Management Software Blades do not get the user database installed on them.

Uninstalling the Access Control Policy

You can uninstall the Access Control policy using a command line interface on the Security Gateway.

To uninstall the Access Control policy

Connect to the command line on the Security Gateway.
Log in to the Expert mode.

Run:

fw unloadlocal

Warnings:

The "fw unloadlocal" command prevents all traffic from passing through the Security Gateway (Cluster Member Security Gateway that is part of a cluster.), because it disables the IP Forwarding in the Linux kernel on the Security Gateway (Cluster Member).
The "fw unloadlocal" command removes all policies from the Security Gateway (Cluster Member). This means that the Security Gateway (Cluster Member) accepts all incoming connections destined to all active interfaces without any filtering or protection enabled.

For more information, see the R81 CLI Reference Guide - Chapter Security Gateway Commands - Section fw - Sub-section fw unloadlocal.

For uninstalling other Security Policies, check the relevant Administration Guides.