Using a single or multiple policies is neither right nor wrong. It is
simply a different method of management.
Using a single policy will introduce its own set of cons. These include:
-Large policy that is hard to follow
-If installed on something other than Gateways you introduce either bound
inspection. This increase the work the FW has to do and may cause you to
look at how you implement rules differently.
It is a matter of personal preference and style of management. I prefer to
use separate policies if the policies are significantly different or
slightly complex. If policy is simple and only differs by 1 or 2 rules I
will opt to install on specific FW's
The risk of sending the wrong policy to one of the FW's is very real and
should not be taken lightly. Having multiple firewalls and pushing separate
policies will require that you be more careful.
Rob Cryan
Solutions Integration Manager
infinitespace.com
Two Westborough Business Park
Westborough, MA 01581
Office: 508.870.4714
-----Original Message-----
From: Jason Witty [SMTP:[EMAIL PROTECTED]]
Sent: Friday, August 11, 2000 8:37 AM
To: Jarrett Goetz
Cc: '[EMAIL PROTECTED]'
Subject: Re: [FW1] Enterprise Management Policy Pushing Issue
You ALWAYS want to specify the individual firewalls in the
"install-on"
portion of each rule in each policy (in the policy editor,
install-on
column, right click then select targets, then the specific firewall.
Once done, delete the "gateways" object from the rule). That way,
even
if you fat finger something, it won't get installed on every
"gateway".
Hope this helps!
Jason
Jarrett Goetz wrote:
>
> I have a semi-stupid question.
>
> We are running a CheckPoint 4.1 Enterprise Management Console
Server that is
>
> managing a small WAN worth of enforcement points (about 10+.) We
have
> separate policies for each firewall module, and not one large
policy for the
>
> whole organization due to various reasons. (The policy would be
HUGE in
> addition to about 1/3 to 1/2 of the installations being data
center based
> with completely different types of rules.)
>
> The stupid, yet critical problem is pushing new policies to the
firewalls.
> When I click <install> it brings up the menu of all the firewall
objects
> with
> checkboxes next to them. They are already all checked and I have
to uncheck
>
> the ones I don't want to push to. Well, the other day I made the
mistake of
>
> all mistakes. I was working a little too fast and I clicked
<select all>,
> picked a firewall, then install, INSTEAD of <clear all>, picking a
firewall,
>
> then install. This was very bad, the entire WAN and Data Centers
came
> crashing down. As the policies were pushing (oh sh*t moment), I
realized
> and
> hit <abort>, which was actually worse than letting it all go
through.
> Recovering could have been a lot worse, thankfully I had control
connections
>
> of the stations at the top of the policy, but it could have been
much worse.
>
> My bottom line question, is there a way to make all the firewall-1
objects
> unchecked by default? Or something else anyone knows of to
definitely avoid
>
> this type of problem.
>
> Am I missing something here?
>
> I really think it is poor design on CheckPoints side of that
simple GUI, or
> I
> just might not be using as it was speced out.
>
> Any input would be very appreciated.
>
> (Please don't tell me to buy Provider-1 for 80k :)
>
> Thanks.
>
> Jarrett Goetz
>
>
============================================================================
====
> To unsubscribe from this mailing list, please see the
instructions at
> http://www.checkpoint.com/services/mailing.html
>
============================================================================
====
============================================================================
====
To unsubscribe from this mailing list, please see the
instructions at
http://www.checkpoint.com/services/mailing.html
============================================================================
====
================================================================================
To unsubscribe from this mailing list, please see the instructions at
http://www.checkpoint.com/services/mailing.html
================================================================================
