The information you are about to copy is INTERNAL!
DO NOT share it with anyone outside Check Point.
Accelerated Install Policy For Access Control Policy
Technical Level
Solution ID
sk169096
Technical Level
Product
Quantum Security Management
Version
R81, R81.10
Date Created
03-Sep-2020
Last Modified
29-Aug-2021
Solution
Table of Contents
Introduction
Operations that will trigger Accelerated Install Policy
Cases in which Install Policy will not be accelerated
Limitations
Introduction
R81 introduces the Accelerated Install Policy feature. When the Access Control policy installation is accelerated, the installation duration is decreased significantly.
Policy installation is accelerated depending on the changes that were made to the Access Control policy since the last installation. This article details the changes that result in accelerated policy installation as well as the cases in which policy installation is not accelerated.
Operations that will trigger Accelerated Install Policy
Policy installation is accelerated only if all changes made since the last installation include objects of the types listed below, and only if all changes to those objects are listed under the relevant types. In any other case, the policy installation is not accelerated.
Note: In some cases, even if all the changes are to the objects listed below, policy installation is still not accelerated. For more information, see Cases in which Install Policy will not be accelerated.
Access Control Rule
Creating a rule (without editing it)
Editing the Name column
Editing the Track column
Editing the Time column
Editing the VPN column
Editing the Content column
Editing the Action column
Action (before and after the edit) is not an Inline Layer, User Auth or Client Auth
Object is used only in an Access Control rule, a Threat Prevention rule, or a Network Group
Application Group
Creating an Application Group object
Editing an Application Group object
Object is used in an Access Control rule, or an Application Group
Object is used in Access Control policy, and all objects added/removed to/from this group appear in this list
Deleting an Application Group object
Object is used only in an Access Control rule and an Application Group
Object is used only in Access Control policy, and all group members appear in this list
Wildcard
Creating/deleting/editing a Wildcard object
Time
Creating/deleting Time object
Editing Time object
Object is used only in an Access Control rule and a Time Group
Time Group
Creating/deleting a Time Group object
Editing a Time Group object
Object is used only in an Access Control rule and a Time Group
Limit
Creating/deleting/editing Limit object
Data Center
Creating/deleting/editing Data Center object
Additional Modifications
Creating/deleting/editing a Threat Prevention Rule/a Layer/a Section/Exceptions
Changing the Color of any object
Editing the Comment of any object
Creating/deleting/editing the Access Control rule's Section Title
Supported objects for use in the Source and Destination columns
Host
Network
Address Range
Multicast Address Range
Dynamic Object
Domain
Wildcard
Security Zone
Network Group
Supported only if all group members also appear in this list
Group with Exclusions
Access Role
Gateway
Gateway Node
Check Point Host
Gateway Cluster
Cluster Member
VSX Gateway
Virtual System
VSX Cluster
Virtual System Cluster
Internet
Supported objects for use in the Services & Applications column
Application
Supported only if all the services defined for this Application also appear in this list
Category
Supported only if all the services defined for this Category also appear in this list
Application/Site Group
Supported only if all the services defined for this Application/Site Group also appear in this list
Service Group
TCP Service
UDP Service
RPC Service
DCE-RPC Service
ICMP Service
ICMPv6 Service
SCTP Service
Cases in which Install Policy will not be accelerated
All operations that are not explicitly mentioned in the whitelist above do not trigger accelerated policy installation.
Changing a policy package:
Installing a policy package that is different from the package installed on the Security Gateway does not trigger accelerated policy installation.
If objects of types Client Authentication, User Authentication, Logical Server or Service with Resource are used in the policy (can only be used in the first layer), any change that affects a rule in the first layer does not trigger accelerated policy installation.
Manual changes on the Security Management Server:
When changes are made to configurations files (for example - all inspect files in the $FWDIR/lib/ directory) on the Security Management Server, the next policy installation on the Security Gateway will not be accelerated regardless of the changes that were made.
Global Domain assignment:
After Assigning/Reassigning Global Domain on the Security Management Server, the next policy installation on the Security Gateways that are part of the Domain that was assigned/reassigned are not accelerated.
Reverting the Security Gateway to an older snapshot:
If a Security Gateway is reverted to an older snapshot and the policy installation is accelerated (because the changes triggered Accelerated Install Policy), the policy installation fails with this error message:
Security Gateway and Security Management policy versions are incompatible. Disable Accelerated Install Policy for this Security Gateway and install policy again. For more information, see sk168055.
To overcome this, it is possible to disable the Accelerated Install Policy.
Limitations
The Security Management Server and the Security Gateway must run version R81 or above.
Policy Installation will not be accelerated on the following types of Gateways: LSM Profile, Scalable Platforms 40000 / 60000, and Maestro.
Give us Feedback
Thanks for your feedback!
Are you sure you want to rate this stars?