topic Re: Best practice using layer R80.10 in Firewall and Security Management

Best practice using layer R80.10

Knud_Mortensen — Wed, 19 Jul 2017 11:05:44 GMT

I'm running a R80.10 eval management server where I have imported my 77.30 database, to train myself a bit before upgrading to r80.10, I currently have 16 firewalls around the world (including Azure and AWS) and one policy package with every thing.

I'm planing to have a Policy/tab for each firewall and because there are common rules that has to be on all firewalls, I will like to use layers.

I'm struggling a bit to get my head around do's and dont's using layer in R80.10.

If I have tree layers in my policy 1, 2 and 3, layer 1 and 2 shall have a cleanup rule that accept all and layer 3 should have a clean up rule that drops all, the packets will start with layer 1, if no match it will go to layer 2, if no match it will go to layer 3, if no match dropped by the clean up rule, is this correct?

Normally if you have a any, any rule with accept it will be a hit and stop processing any more rules.

If I use Search in packet mode I only see match in layer 1 where the clean up rule is the last match.

Have I misunderstood something?

Is there any best practice for using layers?

Rgds

Knud Mortensen

Re: Best practice using layer R80.10

PhoneBoy — Wed, 19 Jul 2017 14:33:41 GMT

I recommend reading through the Layers in R80‌ for some additional background.

Keep in mind with ordered layers, the packet must hit an "accept" rule to go to the next ordered layer.

So if a packet matches a "drop" action in layer 1 (such as a cleanup rule), it will never see the other layers.

Where ordered layers are required is when managing pre-R80 gateways.

This is because the Firewall (Access Control) rulebase must be matched before going to the App Control/URL Filtering rulebase (effectively a layer).

Once your gateways are R80.10 and above, I personally think a better approach is to use Inline Layers.

I'll show an example from my lab gateway:

You'll notice that the action column isn't the traditional Accept/Drop, but a layer called Bogons, Outbound, and InboundLayer. Each one of these is an independent rulebase that I could actually reuse elsewhere if I desire.

Re: Best practice using layer R80.10

Tomer_Sole — Thu, 20 Jul 2017 05:19:36 GMT

a series of articles will be posted soon!

Re: Best practice using layer R80.10

Tomer_Sole — Thu, 27 Jul 2017 12:06:11 GMT

Please follow articles posted under this tag: layers-best-practices

Re: Best practice using layer R80.10

_Val_ — Thu, 27 Jul 2017 12:09:53 GMT

Tomer, it would be a good advice if community had an interface to do so. I personally cannot find any way to do so

Re: Best practice using layer R80.10

Tomer_Sole — Thu, 27 Jul 2017 12:43:31 GMT

I didn't think of that part all the way through we will check how the CheckMates interface can help us with that. https://community.checkpoint.com/people/dwelccfe6e688-522c-305c-adaa-194bd7a7becc‌

Re: Best practice using layer R80.10

PhoneBoy — Thu, 27 Jul 2017 14:50:30 GMT

RSS feed, which I know https://community.checkpoint.com/people/valerdd022dbd-e3ef-33cc-ac9c-4ac6f9e1743d‌ knows how to use

https://community.checkpoint.com/view-browse-feed.jspa?browseSite=content&browseViewID=content&userID=2075&query=layers-…

That gets a few more things than the tag (it's a general search term).

That said https://community.checkpoint.com/content will give you all the content on the site.

Re: Best practice using layer R80.10

_Val_ — Thu, 27 Jul 2017 14:58:58 GMT

Oh, come on, https://community.checkpoint.com/people/dwelccfe6e688-522c-305c-adaa-194bd7a7becc, add searching by tag feature. You do not suppose people to start fiddling with RSS just to find a particular tag, right?

Re: Best practice using layer R80.10

PhoneBoy — Thu, 27 Jul 2017 19:57:37 GMT

Better to browse using this link: https://community.checkpoint.com/tags/#/?tags=layers-best-practices

You can see the most commonly use tags (and browse related content) here: https://community.checkpoint.com/tags

I was thinking you were looking for notifications https://community.checkpoint.com/people/valerdd022dbd-e3ef-33cc-ac9c-4ac6f9e1743d‌ thus why I suggested an RSS link.

That's what happens when I post when my caffeine levels are inadequate

Re: Best practice using layer R80.10

_Val_ — Fri, 28 Jul 2017 09:31:17 GMT

Thanks for the link. My point was, please make it a shortcut in the menu bar for easier navigation.

Re: Best practice using layer R80.10

PhoneBoy — Fri, 28 Jul 2017 15:56:13 GMT

I'm still trying to build a lot of the stuff like that
Thanks for the suggestion.

Re: Best practice using layer R80.10

PhoneBoy — Sat, 29 Jul 2017 02:14:19 GMT

I now have a whole section for it.

When https://community.checkpoint.com/people/tomera5b2e7f3-09aa-32f8-96c2-f0f5bfa2988b‌ (or anyone else) tags a discussion/doc/whatever with layers-best-practices it will show on the right sidebar.