MDS Global Policy Design

Had a long discussion with a long time P1 admin that is brilliant (well, I trained him 15 years ago 🙂  ) and we shared tips on Global Policy design. Here are my notes:

1) Try and keep global policies small or else you will put rules and objects on 100 firewalls that only 2 need them. And as time goes on you have more and more objects and rules and afraid to delete them and your domain databases just grow and grow

2) Local control: If you have a set of firewalls that need more local control, then DON”T add any global policies on the top. Only add global policies on the bottom and let the locals hit first. Well, you lose things like the stealth rule at the global level, but it allows the local policy to have more finer grain control instead of some global rule up high that was more general (any any HTTP).

3) Global Objects, Local Rules: There is a debate about global objects in local rules. The problem is if you ever have to split out domains, rename domains, move domains to new P1 (easier to migrate than upgrade in live environment), then you have to pull the global policy out of the local domain and the global objects in local rules will blow up. You have to replace the global objects in local rules with local objects…pull off the global policy..migrate…redo global policy.

So this can be done if you have just a couple global objects in local rules. You can use placeholders/dummy objects. Move the rules to a new domain and then re-apply global policy and update your dummy objects. However if there are a lot of these instances or a lot of moves it will be a huge hassle.

I am personally like using Global Dynamic Objects sk33256  (sometimes) as placeholders and then having the domains replace the placeholders. Downside is the global name is JUST a template and has no data in it. The data is defined at the domain level, so each domain has to populate. So you lose the effect of 1 central global variable with 1 set of objects in it.

dynamic object

After removing global policy from a domain, you can use the following to move the domain into another new domain….

You can also use the export/import function in dashboard to export and import into another domain. Not great, but better than typing.

export function

You can also use confwiz which I love to export/import a whole domain  into another domain. I love this because its not copying files with all the crap in them, it will use dbedit to add objects/rules 1 at a time. Like typing them in. Then delete the crap you don’t need in Dashboard.

You can also use cp_merge, but I’ve never used it.

4) Rename Global Objects: Another reason I hate using global objects too much is because you cannot rename them cleanly. sk82380. If they are in local policy it blows up R75.46/7/8.  I guess a fix came out for it and now you can rename global objects and it all works.

5) Theoretically all this will be resolved in R90 Uber MDM2. I saw a demo and it looked cool anyways. I would wait about 1 year to work out all the kinks before migrating. So probably about 3 years from now the above problems will be mitigated in MDM2.

Hope this Helps,


Post a comment or leave a trackback: Trackback URL.


  • dav3860  On October 9, 2013 at 4:02 am


    I saw you already made upgrades to R77. Did you experience weird issues with this version ? Particularly with IA ? I currently plan to setup two new clusters of GAIA with Identity Awareness. I think I’ll upgrade the SmartCenter to R77 ASAP, But for the gateways, I’m not sure, should I stick to R75.47 or jump to R77 ?

    • Dreezman  On October 9, 2013 at 6:42 pm

      I know no one at R77. The ones I know at R76 MDM are not happy at all. I am sticking with R75.46/7 with lots of patches for now.

      There is no reason to go to R76/7. It is on the VSX platform and that was reworked in R75.40VS and needs to bake a couple more revs. The features I don’t need considering the stability costs.

      This will all settle down in the next 6 months to 1 year so just be patient. The bug fixes have to catch up with all the new features they have released in the past year. The GAIA platform is cool, but is still new. This would be true for most products from any vendor. But CP needs to hire more QA people and quality support people IMHO.


Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

Michael Endrizzi's - St. Paul MN - CheckPoint blog on topics related to Check Point products and security in general.

%d bloggers like this: