Support Center > Search Results > SecureKnowledge Details
Managing Firewall Access Policy from the Quantum Spark Portal Technical Level
Solution

Introduction:

The Quantum Spark Portal (formerly named "Security Management Portal", or "SMP") can manage the Firewall Access Policy (Rule Base) for:

  • Small and Medium Business Appliances (600 and 700)
  • Branch Office Appliances (1100, 1400, 1500, 1600, 1800)
  • Ruggedized Appliances (1200R)

On the Security Software Blades -> Access Policy page of the Quantum Spark Portal, the administrator can create rules for a specified plan or gateway. These rules configure the policy for:

  • Outgoing access to the Internet
  • Incoming, internal, and VPN traffic

The Quantum Spark Portal administrator can configure pre-local rules or post-local rules:

  • Pre-local rules run before the local manual rules (which are created in the local settings of the Firewall Software Blades). A gateway local administrator cannot create manual rules to override pre-local rules configured by the Quantum Spark Portal administrator.

  • Post-local rules run after the local manual rules. The Quantum Spark Portal administrator configures the recommended policy, and the local administrator can override it by creating manual rules.

Note - The gateway local administrator can only edit the manual rules. Pre-local/post-local rules are locked.

For more information about this feature, refer to the SMP R12.30 Administration Guide.

Availability:

  • This feature is available on SMB gateways starting in the R77.20.70 version.
  • This feature is supported on 1500, 1600, and 1800 Quantum Spark appliances running R80.20.20 build 992001885 or higher.
  • The Next Generation mode of this feature is compatible with 1500, 1600, and 1800 Quantum Spark appliances running R80.20.30 or higher.
    • Applying the Next Generation mode on Gateways running versions lower than R80.20.30 is not supported, and such policy is ignored.

Known Limitations:

  1. Rules for Zone objects are not enforced, if the target Gateway does not have the relevant physical ports.

    For example:

    1. Rules with the source or destination "DMZ Network", or "LAN Network" / "DMZ Network" are disabled on appliances without a DMZ port (1530, 1550 models).
    2. Rules with "Wireless Networks" objects are disabled on appliances that do not have Wi-Fi.
    3. Rules with the source "Internet" for incoming traffic are disabled.
    4. Services with multiple ports are not supported on 1500, 1600, and 1800 appliances. The administrator must not create a service with multiple ports.
  2. Next Generation mode limitations:

    1. Rules for updatable objects and applications that do not exist on the Gateway are ignored.
    2. Rules for IPv6 objects are ignored when IPv6 mode is disabled on the Gateway.
  3. For general known limitations, see sk159772 - Check Point R80.20.X for 1500, 1600, and 1800 Appliances Features, Known Limitations and Resolved Issues.

Documentation:

Give us Feedback
Please rate this document
[1=Worst,5=Best]
Comment