You ALWAYS want to specify the individual firewalls in the "install-on"
portion of each rule in each policy (in the policy editor, install-on
column, right click then select targets, then the specific firewall.
Once done, delete the "gateways" object from the rule). That way, even
if you fat finger something, it won't get installed on every "gateway".
Hope this helps!
Jason
Jarrett Goetz wrote:
>
> I have a semi-stupid question.
>
> We are running a CheckPoint 4.1 Enterprise Management Console Server that is
>
> managing a small WAN worth of enforcement points (about 10+.) We have
> separate policies for each firewall module, and not one large policy for the
>
> whole organization due to various reasons. (The policy would be HUGE in
> addition to about 1/3 to 1/2 of the installations being data center based
> with completely different types of rules.)
>
> The stupid, yet critical problem is pushing new policies to the firewalls.
> When I click <install> it brings up the menu of all the firewall objects
> with
> checkboxes next to them. They are already all checked and I have to uncheck
>
> the ones I don't want to push to. Well, the other day I made the mistake of
>
> all mistakes. I was working a little too fast and I clicked <select all>,
> picked a firewall, then install, INSTEAD of <clear all>, picking a firewall,
>
> then install. This was very bad, the entire WAN and Data Centers came
> crashing down. As the policies were pushing (oh sh*t moment), I realized
> and
> hit <abort>, which was actually worse than letting it all go through.
> Recovering could have been a lot worse, thankfully I had control connections
>
> of the stations at the top of the policy, but it could have been much worse.
>
> My bottom line question, is there a way to make all the firewall-1 objects
> unchecked by default? Or something else anyone knows of to definitely avoid
>
> this type of problem.
>
> Am I missing something here?
>
> I really think it is poor design on CheckPoints side of that simple GUI, or
> I
> just might not be using as it was speced out.
>
> Any input would be very appreciated.
>
> (Please don't tell me to buy Provider-1 for 80k :)
>
> Thanks.
>
> Jarrett Goetz
>
> ================================================================================
> To unsubscribe from this mailing list, please see the instructions at
> http://www.checkpoint.com/services/mailing.html
> ================================================================================
================================================================================
To unsubscribe from this mailing list, please see the instructions at
http://www.checkpoint.com/services/mailing.html
================================================================================
