topic Re: Layers in R80 in Firewall and Security Management

Policy Layers in R80.x

Tomer_Sole — Sun, 22 Dec 2019 07:21:48 GMT

I would like to clarify the use of layers in R80 Management Server and SmartConsole.

A layer is a set of rules, or a rule-base. R80 organizes the policy with ordered layers. For example, Gateways that have the Firewall and Application control blades enabled, will have their policies split into two ordered layers: Network and Applications. Another example is Gateways that have the IPS and Threat Emulation blades enabled, will have their policies split into two ordered layers: IPS and Threat Prevention. For Pre-R80 Gateways, this basically means the same enforcement as it always was, only in a different representation in the Security Management.

Ordered layers are enforced this way: When the Gateway matches a rule in a layer, it starts to evaluate the rules in the next layer.

The layers concept opens more options for policy management:

Setting different view and edit permissions per layer for different administrator roles.
Re-using a layer in different places: The same application control layer in different policy packages ( Sharing a layer across different policies ), or the same inline layer for different scopes.
Explaining global and local policies in Multi-Domain with the same feature set of layers: A domain layer will be the set of rules that are added in each domain by the domain administrator.

R80.10 Gateways and above will have the ability to utilize layers in new ways:

Unifying all blades into a single policy (How to use the unified policy? )
Segregating a policy into more ordered layers, not necessarily by blades
Allowing sub-policies inside a rulebase, with the use of inline layers (How do I define diffrent policies to diffrent users? )

Message was edited by: Tomer Sole

Re: Layers in R80

Tomer_Sole — Sun, 24 Nov 2019 22:51:02 GMT

Quote from Jim Oqvist:

R80 introduces a new policy concept called Layers to efficiently work with the rule base.

For Access Control Policy Two types of layers for maximum flexibility exists, inline layer and ordered layer. Where layers allow separating the security policy into multiple components. In this way creating better security and manageability. Support concurrent-admin's and segregation of duties, allow organizations to reuse of layer either as inline or ordered in multiple policy's to be more efficient.

In Inline Layers only traffic matched/accepted on the parent rule will reach and be inspected by the inside layer rules.
In Ordered Layers when an accept rule from the first layer is matched, the gateway goes over the rules in the next layer
- For backward compatibility with pre-R80 gateway you will use ordered layers to manage the Firewall rule base and Application control rule base, where first layer needs to be Firewall layer and second layer needs to be Application control and URL Filtering layer.
- During an upgrade from pre-R80 to R80 with gateways using policy packages that are using Firewall and Application control policy's, the existing policy will be separated to ordered Layer with Network Layer – Firewall policy rules as the first layer and Application Layer – Application control policy rules as the second layer.

Here is an example of traffic matching using

Policy with Inline Layers		Policy with Ordered Layers	Policy mixed with Ordered and Inline Layers

Re: Layers in R80

Rutger_Truyers — Tue, 01 Mar 2016 21:08:30 GMT

Very clear thnx !

Re: Layers in R80

Ed_Munoz — Wed, 18 Jan 2017 01:51:12 GMT

Hi Tom,

Thanks for sharing, great summary. Few questions if you're ok

I wonder whether there is any kind of "layer priorities", for instance the inline layers case, what's the rule processing if there are contradictions between the layer rules?

Is there any best practices for R80 Rulebase Construction and Optimization similar to sk102812

What's the implication in the gateway side with other features such as SecureXL

Thanks

Regards

Re: Layers in R80

Tal_Ben_Avraham — Mon, 30 Jan 2017 08:36:33 GMT

Not sure I follow the question regarding “layer priorities” (for the priorities example – per layer the verification of rules is the same as in previous versions).

Regarding best practices, per layer sk102812 still applies.

However, the ability to use layers instead of sections exist.

The R80.10 admin guide should supply use cases and best practices.

Thanks,

Tal

Re: Layers in R80

Martin_Raska — Tue, 09 Jan 2018 14:41:33 GMT

Hello,

I have a question:

How many policy layers the Access Control Policy supports?

Thanks.

Re: Layers in R80

Tomer_Sole — Fri, 21 Jun 2019 08:55:06 GMT

See my reply from the Layer Design Patterns posts (which I should really add more to.. )

https://community.checkpoint.com/message/7100-layer-design-patterns-1-inspect-additional-content

Enforcement with ordered layers is executed on the gateway in a way that does not add a performance impact with every new layer.

It is more likely that a large number of ordered layers will be harder to manage by the admin, before any performance impact will kick in (imagine that "Tree" of Access Control Policy composed of over 10 ordered layers.. Maybe not the best visibility).

Re: Layers in R80

PhoneBoy — Tue, 09 Jan 2018 22:41:39 GMT

I'm not aware of a specific limit in this area.

That said, I struggle to see a use case where you'd need more than a few.

Can you articulate the use case you're thinking of?

Re: Layers in R80

Martin_Raska — Wed, 10 Jan 2018 08:41:09 GMT

It's a question from CCSA exam study guide

r80-system-administrator-study-guide.pdf

Martin

Re: Layers in R80

Timothy_Hall — Wed, 10 Jan 2018 13:26:47 GMT

As someone who teaches the CCSA class I think I can provide some insight here.

In the CCSA R80 class, there was a question like this and the answer was "up to two" ordered layers. At the time only R77.30 gateways were available and this was correct, due to gateway limitations you could not have more than two Access Control Policy ordered layers (Network & APCL/URLF).

However in the CCSA R80.10 courseware, the answer was changed to "one or more ordered layers" due to the availability of R80.10 gateways. With R80.10 gateway there could now be more than two ordered layers in the Access Control Policy. However for an R77.30 gateway managed with R80+, the answer is still "up to two" ordered layers.

The question needs to be clarified with context as to the gateway version, so I'm mentioning certification manager Jason Tugwell in the hope that he'll see this thread.

--
Second Edition of my "Max Power" Firewall Book
Now Available at http://www.maxpowerfirewalls.com

Re: Layers in R80

Martin_Raska — Wed, 10 Jan 2018 14:04:29 GMT

Thank you for your effort Tim.

Your book is awesome.I have a hard copy.

Martin

Re: Layers in R80

Jason_Tugwell — Thu, 11 Jan 2018 18:33:22 GMT

@TIm Hall @Martin Raska,

The explanation Tim provided was spot on!

While I am not the authority on the subject, the exam content is based on the course ware and after consulting with that team the context of the question is based on the R80.10 gateway.

Regards,

Tug

Certification FAQ

Re: Layers in R80

Stadt_Heidelber — Wed, 23 May 2018 09:28:51 GMT

HI all,

will it be possible to layer SSL Inspection Policy in the future, too ?

We have a use case where our First Level Support should be able to create SSL Bypass Rules.

Thanks!

Alex

Re: Layers in R80

Tomer_Sole — Thu, 31 May 2018 19:23:52 GMT

Hi,

We plan to improve the user experience of HTTPS Inspection and we will update once we have information that we can share.

Re: Layers in R80

Nicholas_Scott — Fri, 01 Mar 2019 12:01:27 GMT

Thank you for your posts, Tomer! Very clear and very helfpul.

Cheers,

Nick

Re: Layers in R80

Tal_Ben_Avraham — Sun, 03 Mar 2019 12:14:00 GMT

Hi Stadt,

In practice you can think of SSL Inspection policy as a different layer.

And in the future it will also remain as a separate fixed layer.

Can you elaborate on your use case?

Thanks,

Tal

Re: Layers in R80

Paul_Gademsky — Tue, 07 May 2019 00:06:20 GMT

Hi Tomer,

I have an R80.20 policy this is being applied to 2 gateways. It has the typical: Access Control - > Policy and NAT. I want to add a shared 'Ordered Layer' called Mgt_Monitor) to it (and other policies) that have common rules for Network Management devices. When I have tested adding this, it changes the layout shows up as "Network" and Mgt_Monitor. So both layers are now there. This thread does not really address how to 'network type' layers will be processed by the firewall, and what happens with the clean up rules that are in existence.

The end goal of what I'm after is being able to do a similar effect as the Global Policy in a MDS/CMA except this is a CMA and I want to be able to share the ordered layer among the various policies in the CMA.

A clearer understanding or example of using multiple 'network' type layers and how they interact would be very helpful. I have opened an SR but don't have answer from that yet, but thought you might have a better handle on how this was designed to operate.

Thank you,

Re: Layers in R80

DIEHARD — Wed, 22 May 2019 17:42:50 GMT

To add to this question more.....

This use case is a layer of rules that would be applied to many firewalls to provide access for devices behind them to central management systems.

I can not think up anything I can match on that does not cause other existing rules in the individual firewalls policies to break due the the layer cleanup drop.

In a layered policy the cleanup rule basically only being matched to Allow or Drop. There is no possibility of say.. the option to simply exit the layer and continuing down the rules of a parent layer for a match? That would be an awesome option to have! 😉

If there is some way to currently do this using policy layers I would love to know.

Ordered Layers in R80

Juan_Concepcion — Fri, 23 Aug 2019 15:52:08 GMT

So I have a customer that has the following configuration:

Layer 1: Network management has a policy

Rule 1:

Source: Admin Network

Destination: Firewalls

Action: Accept

Layer is set to implicit “Accept”

Layer 2: Network Policy

Rule 1

Source: Internal Networks (does not cover admin network)

Destination: Any

Action: Accept

Rule 2:

Source: Any

Destination: Any

Action: Drop

The traffic from admin network to firewalls gets dropped on Layer 2/Rule 2 is this how this is supposed to work??

Re: Ordered Layers in R80

lulu — Sun, 15 Sep 2019 17:35:42 GMT

me also as same