Table of Contents

• Introduction
• Operations that will trigger Accelerated Install Policy
• Cases in which Install Policy will not be accelerated
• Limitations

Introduction

R81 introduces the Accelerated Install Policy feature. When the Access Control policy installation is accelerated, the installation duration is decreased significantly.

Policy installation is accelerated depending on the changes that were made to the Access Control policy since the last installation. This article details the changes that result in accelerated policy installation as well as the cases in which policy installation is not accelerated.

Operations that will trigger Accelerated Install Policy

Policy installation is accelerated only if all changes made since the last installation include objects of the types listed below, and only if all changes to those objects are listed under the relevant types. In any other case, the policy installation is not accelerated.

Note: In some cases, even if all the changes are to the objects listed below, policy installation is still not accelerated. For more information, see Cases in which Install Policy will not be accelerated.

Access Control Rule

• Creating a rule (without editing it)

• Editing the Name column

• Editing the Track column

• Editing the Time column

• Editing the VPN column

• Editing the Content column

• Editing the Action column

  • Action (before and after the edit) is not an Inline Layer, User Auth or Client Auth

• Editing the Source or Destination columns

  • Adding/removing objects which appear in this list

• Editing the Services & Applications column

  • Adding/removing objects which appear in this list

• Deleting/enabling/disabling rule

  • Rule's action is not an Inline Layer, User Auth or Client Auth

  • All objects used in the Source or Destination columns appear in this list

  • All objects used in the Services & Applications column appear in this list

  • Rule does not contain a Service with Resource

Access Control Layer

• Creating a layer

• Editing layer properties

Host

• Creating a Host object

  • Object does not contain NAT settings

  • Object does not contain Servers Configuration

• Editing a Host object

  • Modified fields/sections:

    • Name

    • IPv4 address

    • IPv6 address

    • Network Management

  • Object does not contain NAT settings

  • Object does not contain Servers Configuration

  • Object is used only in an Access Control rule, a Threat Prevention rule, a Network Group, or a Group with Exclusions

• Deleting a Host object

  • Object does not contain NAT settings

  • Object does not contain Servers Configuration

  • Object is used only in an Access Control rule, a Threat Prevention rule, a Network Group, or a Group with Exclusions

Network

• Creating a Network object

  • Object does not contain NAT settings

• Editing a Network object

  • Modified fields:

    • Name

    • IPv4 -> Network address

    • IPv4 -> Net mask

    • IPv4 -> Broadcast address

    • IPv6 -> Network address

    • IPv6 -> Prefix

  • Object does not contain NAT settings

  • Object is used only in an Access Control rule, a Threat Prevention rule, a Network Group, or a Group with Exclusions

• Deleting a Network object

  • Object does not contain NAT settings

  • Object is used only in an Access Control rule, a Threat Prevention rule, a Network Group, or a Group with Exclusions

Address Range

• Creating an Address Range object

  • Object does not contain NAT settings

• Editing an Address Range object

  • Modified fields:

    • Name

    • IPv4 -> First IP address

    • IPv4 -> Last IP address

    • IPv6 -> First IP address

    • IPv6 -> Last IP address

  • Object does not contain NAT settings

  • Object is used only in an Access Control rule, a Threat Prevention rule, a Network Group, or a Group with Exclusions

• Deleting an Address Range object

  • Object does not contain NAT settings

  • Object is used only in an Access Control rule, a Threat Prevention rule, a Network Group, or a Group with Exclusions

Multicast Address Range

• Creating a Multicast Address Range object

• Editing/Deleting a Multicast Address Range object

  • Object is used only in an Access Control rule, a Threat Prevention rule, a Network Group, or a Group with Exclusions

Dynamic Object

• Creating a Dynamic Object

• Editing/Deleting a Dynamic Object

  • Object is used only in an Access Control rule, a Threat Prevention rule, or a Network Group

Domain

• Creating a Domain object

• Editing/Deleting a Domain object

  • Object is used only in an Access Control rule, a Threat Prevention rule, or a Network Group

Security Zone

• Creating a Security Zone object

• Editing/Deleting a Security Zone object

  • Object is used only in an Access Control rule, a Threat Prevention rule, or a Network Group or Topology Settings

Network Group

• Creating a Network Group object

• Editing a Network Group object

  • Object is used only in an Access Control rule, a Threat Prevention rule, a Network Group, or a Group with Exclusions

  • All objects added/removed to/from this group appear in this list

• Deleting a Network Group object

  • Object is used in an Access Control rule, a Threat Prevention rule, a Network Group , or a Group with Exclusions

  • All group members appear in this list

Group with Exclusions

• Creating a Group with Exclusions object

• Editing/Deleting a Group with Exclusions object

  • Object is used only in an Access Control rule, a Threat Prevention rule, or a Network Group

Application Group

• Creating an Application Group object

• Editing an Application Group object

  • Object is used in an Access Control rule, or an Application Group

  • Object is used in Access Control policy, and all objects added/removed to/from this group appear in this list

• Deleting an Application Group object

  • Object is used only in an Access Control rule and an Application Group

  • Object is used only in Access Control policy, and all group members appear in this list

Wildcard

• Creating/deleting/editing a Wildcard object

Time

• Creating/deleting Time object

• Editing Time object

  • Object is used only in an Access Control rule and a Time Group

Time Group

• Creating/deleting a Time Group object

• Editing a Time Group object

  • Object is used only in an Access Control rule and a Time Group

Limit

• Creating/deleting/editing Limit object

Data Center

• Creating/deleting/editing Data Center object

Additional Modifications

• Creating/deleting/editing a Threat Prevention Rule/a Layer/a Section/Exceptions

• Changing the Color of any object

• Editing the Comment of any object

• Creating/deleting/editing the Access Control rule's Section Title

Supported objects for use in the Source and Destination columns

• Host

• Network

• Address Range

• Multicast Address Range

• Dynamic Object

• Domain

• Wildcard

• Security Zone

• Network Group

  • Supported only if all group members also appear in this list

• Group with Exclusions

• Access Role

• Gateway

• Gateway Node

• Check Point Host

• Gateway Cluster

• Cluster Member

• VSX Gateway

• Virtual System

• VSX Cluster

• Virtual System Cluster

• Internet

Supported objects for use in the Services & Applications column

• Application

  • Supported only if all the services defined for this Application also appear in this list

• Category

  • Supported only if all the services defined for this Category also appear in this list

• Application/Site Group

  • Supported only if all the services defined for this Application/Site Group also appear in this list

• Service Group

• TCP Service

• UDP Service

• RPC Service

• DCE-RPC Service

• ICMP Service

• ICMPv6 Service

• SCTP Service

Cases in which Install Policy will not be accelerated

• All operations that are not explicitly mentioned in the whitelist above do not trigger accelerated policy installation.

• Changing a policy package:

  Installing a policy package that is different from the package installed on the Security Gateway does not trigger accelerated policy installation.

• If objects of types Client Authentication, User Authentication, Logical Server or Service with Resource are used in the policy (can only be used in the first layer), any change that affects a rule in the first layer does not trigger accelerated policy installation.

• Manual changes on the Security Management Server:

  When changes are made to configurations files (for example - all inspect files in the  $FWDIR/lib/ directory) on the Security Management Server, the next policy installation on the Security Gateway will not be accelerated regardless of the changes that were made.

• Global Domain assignment:

  After Assigning/Reassigning Global Domain on the Security Management Server, the next policy installation on the Security Gateways that are part of the Domain that was assigned/reassigned are not accelerated.

• Reverting the Security Gateway to an older snapshot:

  If a Security Gateway is reverted to an older snapshot and the policy installation is accelerated (because the changes triggered Accelerated Install Policy), the policy installation fails with this error message:

  • Security Gateway and Security Management policy versions are incompatible. Disable Accelerated Install Policy for this Security Gateway and install policy again. For more information, see sk168055.

  To overcome this, it is possible to disable the Accelerated Install Policy.

Limitations

• The Security Management Server and the Security Gateway must run version R81 or above.

• Policy Installation will not be accelerated on the following types of Gateways: LSM Profile, Scalable Platforms 40000 / 60000, and Maestro.