Search

	display results
words begin exact words any words part

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

[FW-1] Policy management

To: [email protected]
Subject: [FW-1] Policy management
From: Jeff LaCoursiere <[email protected]>
Date: Mon, 7 Jan 2002 14:34:01 +0100
Reply-to: Mailing list for discussion of Firewall-1 <[email protected]>
Sender: Mailing list for discussion of Firewall-1 <[email protected]>

I am new to Checkpoint and have been given the task of taking over a distributed system - one management station on NT and several Sun based firewalls.  I have added two new Nokia based firewalls and established two VPN's since taking over a few weeks ago, and the policy list is getting out of hand.  The GUI seems to be geared towards managing all the rules for all the firewalls in a single policy, which I can understand, but it makes it very difficult, IMO, to understand the rules on any particular firewall by just looking at the list.  I decided I would try to break it out into individual policies for each firewall, and ran into a few snares.  First - if you make a policy with rules for just one gateway and don't uncheck the others from the list to install, you end up wiping the rules on the other gateways :)  I suspected this would happen and did not actually create the catastrophy you might imagine - I tested it on one that was next to me with a console, thank god.  Anot!
her snag is the network objects.  I am assuming that the objects get transferred to the gateways from the mgmt station at policy install time as well, and I noticed that changing an object on the mgmt station (for VPN options like shared secrets for example) required pushing each individual policy to the appropriate endpoint gateways involved.  This also makes sense, but is a pain.

I guess what I am asking is what have others done, if anything, to make policies more manageable (and therefore less prone to human error in changes) in a highly distributed environment?  I am looking at another five or so VPNs coming in the next quarter, and I am worried that the single policy interface will get too complex and unwieldy.

ObQuestion: In playing with bringing up the Nokia boxes in the past few weeks I have done many a putkey.  Addresses have been changing through my tests, and I now have a number of keys in conf/fwauth.keys that are no longer needed.  Anyone know how to delete them?

TIA,

Jeff LaCoursiere
Infrastructure Specialist
T-Motion

=================================================
To set vacation, Out Of Office, or away messages,
send an email to [email protected]
in the BODY of the email add:
set fw-1-mailinglist nomail
=================================================
To unsubscribe from this mailing list,
please see the instructions at
http://www.checkpoint.com/services/mailing.html
=================================================
If you have any questions on how to change your
subscription options, email
[email protected]
=================================================

Follow-Ups:
- Re: [FW-1] Policy management
  - From: Don <[email protected]>

Prev by Date: Re: [FW-1] Firewall logging to Oracle
Next by Date: Re: [FW-1] password
Previous by thread: [FW-1] Réf. : Re: [FW-1] Rule 0
Next by thread: Re: [FW-1] Policy management
Index(es):
- Date
- Thread