topic Policy and multiple layers behavior in Firewall and Security Management

Policy and multiple layers behavior

Ismar_Efendic — Mon, 25 Jul 2016 11:52:53 GMT

Hello

could you please guide me understanding how rule base checks are done with different layers?

for example i have one policy with 3 layers, 2 layers are shared. when the incoming connection comes will this mean it will first for thru first layer then second and third then get dropped or the first drop rule hit?

thank you

ismar

Re: Policy and multiple layers behavior

Tomer_Sole — Mon, 25 Jul 2016 11:56:54 GMT

see this guide for clarity Layers in R80

Re: Policy and multiple layers behavior

Ismar_Efendic — Mon, 25 Jul 2016 12:19:43 GMT

thank you great help

could you direct me to more detail explanation when defining Ordered layers?

do we only need clean up rule in last layer?

thank you

Re: Policy and multiple layers behavior

Tomer_Sole — Mon, 25 Jul 2016 13:00:37 GMT

Please see the following guides for:

best practices for layers in Pre-R80 GW's: How do I create an Access Policy for Pre-R80 GWs?
examples of ordered layers and how the enforcement works: https://community.checkpoint.com/message/1334#comment-1334

Regarding cleanup rules:

You don't have to define clean up rules explicitly. Each layer has an implicit cleanup rule - either any any accept, or any any drop.

In R7x SmartDashboard we had this generalized - implicit any any drop for the Firewall policy and implicit any any accept for the Application Control policy.

You can control the implicit cleanup rule when you edit a layer and go the the "Advanced" page:

Although it's usually a good best practice to create that cleanup rule explicitly on the rulebase.

Re: Policy and multiple layers behavior

Ismar_Efendic — Mon, 25 Jul 2016 13:20:53 GMT

And last thing from my on this topic, is it possibly to have 2 Firewall layers in one Policy?

Re: Policy and multiple layers behavior

Tomer_Sole — Mon, 25 Jul 2016 13:33:39 GMT

Only for R80.10 GW's and above. Having more than 1 ordered layer for Firewall for pre-R80 GW's will fail policy installation.

Let me know if you have other questions for layers in R80. Other than the discussions that I've linked so far, you can also check the admin guide for general recommendations.

Re: Policy and multiple layers behavior

Ismar_Efendic — Mon, 25 Jul 2016 13:37:07 GMT

Is this also same for Inline Layer?

When will R80 be available for GW's?

Re: Policy and multiple layers behavior

Tomer_Sole — Mon, 25 Jul 2016 13:45:48 GMT

Yes, inline layers have the same editor, and they have the same settings for the implicit cleanup rule.

Using inline layers requires an R80.10 GW, but because R80.10 will be a minor release, the Security Management server and SmartConsole applications are already prepared for designing this type of policies.

For R80.10 release date it is best to follow the Check Point Release Plan.